Router Firmware Found to Contain Exploitable N-Day Vulnerabilities

Research from Forescout and Finite State offers new details on these commonly used OT assets.

Industrial Cyber

Forescout Technologies, Inc. and Finite State, a leading provider of software supply chain security, released a new report, Rough Around the Edges, that analyzes the state of software supply chain in OT/IoT routers. The research revealed that OT and IoT cellular routers, and others used in small offices and homes, have outdated software components that are linked to existing (n-day) vulnerabilities.

The report found that popular OT/IoT router firmware images had an average of 20 exploitable n-day vulnerabilities affecting the kernel, with widening security gaps.

“With the convergence of IoT and OT, threats targeting connected devices are increasing exponentially due to cybercriminal botnets, nation-state APT’s and hacktivists,” said Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs. “Our recent Sierra:21 research found tens of thousands of devices with outdated firmware that are exposed online, easily accessible to hackers.

Forescout Research and Finite State analyzed five firmware images from popular OT/IoT router vendors: Acksys, Digi, MDEX, Teltonika, and Unitronics, and found the following: 

  • OpenWrt is everywhere. Four of the five firmware analyzed run operating systems derived from OpenWrt, an open-source Linux based OS for embedded devices. But those four firmware images use heavily modified versions of the base operating system, either mixing and matching individual component versions with a base version or developing their own in-house components.
  • Software components are often outdated. The analysis identified an average of 662 components and 2,154 findings between known vulnerabilities, weak security posture, and potential new vulnerabilities on each firmware image. The research singled out 25 common components and noticed that the average open-source component was five years and six months old, and four years and four months behind the latest release. Even the most recent firmware images do not use the latest releases of open-source components, including critical components such as the kernel and OpenSSL.
  • Known vulnerabilities abound. On average, firmware images had 161 known vulnerabilities on their most common components: 68 with a low or medium CVSS score, 69 with a high score, and 24 with a critical score. Additionally, the firmware images had an average of 20 exploitable n-days affecting the kernel.
  • Security features are lacking. On average, 41 percent of binaries across firmware images use RELRO, 31 percent use stack canaries, 65 percent use NX, 75 percent use PIE, four percent use RPath, and 35 percent have debugging symbols. The averages can be misleading as the differences between firmware images are very large. Overall, all five firmware images examined were described as "lacking" when it comes to binary protection mechanisms.
  • Default credentials are going away. Even though every firmware came with default credentials, they were often uniquely generated, and the user was forced to change them when configuring a device, making them not exploitable under normal circumstances.
  • Custom patching is a problem. The analysis found examples of vendors applying their own patches to known vulnerabilities and introducing new issues, as well as patching vulnerabilities without incrementing the versions of components, creating confusion for the user of a device to understand what is vulnerable or not. 

“The ‘Rough Around the Edges’ report reveals a troubling trend of outdated software components in OT/IoT routers, with many devices running modified versions of OpenWrt that include known vulnerabilities,” said Larry Pesce, Director of Product Research and Development at Finite State. “These findings highlight the critical importance of addressing software supply chain risks, as our analysis identified an average of 161 known vulnerabilities per firmware image, including 24 with critical scores.”

The research also found positive correlations between the age of components, the number of known vulnerabilities, and binary hardening practices among vendors. As expected, firmware with newer components tends to have fewer vulnerabilities and better binary protections. 

More in Cybersecurity