Multiple Vulnerabilities in Belkin Router Could Allow DNS Spoofing and Credentials Theft

Five zero-day vulnerabilities in Belkin N600 DB Wireless Dual Band N+ routers could have allowed attackers to grab credentials in clear text and spoof DNS requests, according to security researcher Joel Land.

The affected mode is F9K1102 v2 with firmware version 2.10.17, possibly earlier versions and models susceptible to the five found vulnerabilities as well.

By successfully exploiting the firmware vulnerabilities in the SOHO router, Joel believes attackers could have either pointed home users to crafted websites that might have delivered malware or towards phishing websites designed to collect sensitive or private user data.

“DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally,” reads the CERT/CC advisory. “An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker’s control.”

Although no attacks have been reported in the wild, no fixes or updates address the found vulnerabilities. However, some workarounds have been proposed, involving only allowing trusted hosts to connect to the LAN, using strong authentication passwords for the web management interface, and avoidance of browsing with an active session to the web management interface.

The only vulnerability that currently has no workaround centers on the DNS spoofing or firmware tampering over HTTP, as users are unlikely to monitor traffic entering their router.

The vulnerabilities have been dubbed CVE-2015-5987, CVE-2015-5988, CVE-2015-5989, CVE-2015-5990, and CWE-319.