news.volyx.in

Tenda firmware (multiple versions) contains hidden authentication backdoor (kb.cert.org)

355 points by miniBill · 4 days ago · 123 comments on HN

Article summary

Tenda firmware has a hidden authentication backdoor that grants administrative access to devices' web management interfaces, allowing attackers to bypass password verification and gain full control. The backdoor is not documented and can be accessed using a specific password. This vulnerability affects several versions of Tenda firmware. A patch is not available, but mitigation strategies such as disabling remote management and restricting local network exposure can help reduce the risk.

Main themes

  • Network device security
  • Firmware vulnerabilities
  • Backdoor authentication
  • Vendor responsibility
  • Security best practices

What commenters say

  • The backdoor is likely a convenience feature that was forgotten to be removed before distribution, rather than a deliberate attempt to create a vulnerability.
  • Assuming a vulnerability is due to malice rather than ignorance can be misleading, and it's better to investigate and prove intent before making accusations.
  • The presence of a backdoor, regardless of intent, poses a significant security risk and should be taken seriously.
  • The lack of transparency and accountability from vendors can contribute to the persistence of security vulnerabilities in their products.
  • Security professionals tend to assume the worst-case scenario when encountering a vulnerability, while others may be more inclined to attribute it to a mistake or oversight.
  • The distinction between a deliberate backdoor and an accidental vulnerability may be irrelevant in terms of security risk, as both can be exploited by attackers.