911 Hack Removal

Broken Access Control & CSRF in Genexis Platinum 4410 Router V2.1

Published on: September 16, 2020

Broken Access Control & CSRF in Genexis Platinum 4410 Router V2.1

While testing the Genexis Platinum 4410 home router version 2.1 (software version P4410-V2-1.28), I was able to find that the router is vulnerable to Broken Access Control and CSRF.

CVE ID: CVE-2020-25015

Summary

Platinum 4410 is a compact router from Genexis that is commonly used at homes. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

— OWASP

For more information on CSRF, please visit this article.

Impact

An attacker can send the victim a link, which if he clicks while he is connected to the WIFI network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.

Vulnerability

More details on the vulnerability will be added after October 1.

Timeline

  • Vulnerability reported to the Genexis team on August 28, 2020
  • Team confirmed firmware release containing fix on September 14, 2020

Recommendation

  • As per the Genexis team, customers should contact their ISP in order to get access to the latest firmware.
  • Use a more secure router if you are unable to upgrade the firmware.

Reference

Was this post helpful?

Tags: , , , , , , , ,

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany