CVE-2020-35391
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to download the router configuration file containing sensitive information like admin passwords via a direct HTTP request to a specific CGI endpoint. It affects Tenda N300 F3 routers running firmware version 12.01.01.48. The issue appears related to improper HTTP header processing that bypasses authentication checks.
💻 Affected Systems
- Tenda N300 F3 Wireless Router
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain router admin credentials, gain full control of the router, intercept/modify network traffic, install malware, or pivot to internal network devices.
Likely Case
Attackers steal router configuration including admin passwords, potentially leading to unauthorized access, DNS hijacking, or network reconnaissance.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to the router itself without lateral movement to other systems.
🎯 Exploit Status
Exploitation involves simple HTTP requests to download configuration files. Multiple public references demonstrate the technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
Check Tenda website for firmware updates. If available, download latest firmware, access router admin panel, navigate to firmware upgrade section, upload new firmware file, and apply.
🔧 Temporary Workarounds
Block External Management Access
allDisable remote management/WAN access to router admin interface
Access router admin panel -> Advanced -> Remote Management -> Disable
Restrict Management Interface Access
linuxUse firewall rules to restrict access to router management IP/ports
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Replace affected router with a different model/vendor
- Isolate router in separate VLAN with strict firewall rules limiting management access
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET request to http://[router_ip]/cgi-bin/DownloadCfg/RouterCfm.cfg? and check if configuration file is returned without authenticationCheck Version:
Check router web interface status page or use: curl -s http://[router_ip]/ | grep -i firmwareVerify Fix Applied:
After applying workarounds, attempt the same request and verify access is denied or requires authentication📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/DownloadCfg/RouterCfm.cfg
- Unusual download patterns from router IP
- Failed authentication attempts followed by configuration access
Network Indicators:
- HTTP GET requests to routerCfm.cfg endpoint from untrusted sources
- Traffic patterns suggesting configuration file exfiltration
SIEM Query:
source="router_logs" AND uri="/cgi-bin/DownloadCfg/RouterCfm.cfg"🔗 References
- http://packetstormsecurity.com/files/171773/Tenda-N300-F3-12.01.01.48-Header-Processing.html
- https://medium.com/%40signalhilltech/tenda-n300-authentication-bypass-via-malformed-http-request-header-5b8744ca685e
- http://packetstormsecurity.com/files/171773/Tenda-N300-F3-12.01.01.48-Header-Processing.html
- https://medium.com/%40signalhilltech/tenda-n300-authentication-bypass-via-malformed-http-request-header-5b8744ca685e
