A New Critical Vulnerability in SAGEMCOM routers could allow an attacker to gain access control

In the configuration backup feature, the SAGEMCOM router, model [email protected] NET, operating software version NET 4.109.0, has an Inappropriate Access Control flaw.

16:45 GMT, Friday, November 27, 2020

This router is widely sold to its customers in Brazil through ISP provider CLARO.

The flaw occurs when the router’s user interface has a legitimate session running.

As long as there is any valid session opened, any unauthenticated request to http:///backupsettings.conf will allow the router configuration download.

Make a request to the /backupsettings.conf path removing any cookie data.

Image for post
Request wihtout any session data

Making the request from a different IP than the one which initialized the valid session:

Image for post
curl request without any session data

The backupsettings.conf file contains sensitive information, including the administration username and password.

Image for post

If the “Remote Configuration Management” is activated in the router, the access to the backup configuration file becomes available through the WAN to all Internet at the TCP:6080 .

In the image bellow I used a web proxy and accessed the WAN IP address of the router “189.61…” to ensure the external communication.

Image for post

Solution:

Upgrade the router firm to lastest version from router-network.com/sagemcom/f-st-3486

References:

cvemitre

medium.com