Tenda 固件(多个版本)包含隐藏的身份验证后门
Tenda firmware (multiple versions) contains hidden authentication backdoor

原始链接: https://kb.cert.org/vuls/id/213560

多个腾达(Tenda)路由器型号存在一个严重的、未记录的身份验证后门(CVE-2026-11405),攻击者可借此绕过密码验证并获得完全的管理控制权。 该漏洞存在于 `/bin/httpd` 网络服务器二进制文件中,其 `login()` 函数包含一个硬编码的后备机制。如果标准的 MD5 身份验证失败,系统会将用户输入的值与通过 `GetValue("sys.rzadmin.password")` 获取的存储密码进行比对。由于此过程不验证用户名,攻击者无需凭据即可获取管理员权限。 **受影响版本:** * US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD * US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE * US_AC10V1.0re_V15.03.06.46_multi_TDE01 * US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 * US_AC6V2.0RTL_V15.03.06.51_multi_T **影响:** 攻击者可以完全重新配置设备、更改网络设置并破坏局域网安全。 **解决方案:** 由于厂商尚未提供补丁,用户应通过以下方式降低风险: 1. **禁用远程管理**,以防止通过互联网进行外部访问。 2. **限制局域网暴露**,通过更改默认 IP 地址来降低被自动扫描发现的风险。

CERT 近期的报告指出,多个版本的 Tenda 路由器固件中存在硬编码的认证后门。该漏洞利用了一个隐藏的“rzadmin”账户,研究人员发现,即使修改了主管理员密码,该账户依然处于激活状态。 Hacker News 上的讨论反映出两种观点:一方认为这是恶意行为,另一方则将其归咎于开发者严重的疏忽——即在生产代码中残留了调试凭据。许多评论者指出,“rzadmin”(可能是“RechenZentrum”或数据中心管理员的缩写)这一命名方式显得极为敷衍,表明开发过程中缺乏基本的安全标准,而非源于某种复杂的国家级攻击。 无论动机如何,社区强调这是消费级网络硬件中反复出现的问题。参与者建议用户保持高度警惕,并推荐将原厂固件替换为 OpenWRT 等开源方案,或使用“垃圾盒”(即二级加固防火墙设备)将脆弱的消费级路由器与本地局域网隔离。此讨论再次警示人们:消费级路由器往往缺乏安全性,而所谓的“合理推诿”常被用来掩盖行业内低劣的质量控制。
相关文章

原文

Overview

Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials.

Affected Versions:
* US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
* US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
* US_AC10V1.0re_V15.03.06.46_multi_TDE01
* US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
* US_AC6V2.0RTL_V15.03.06.51_multi_T

Description

Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment. Most of these devices include web-based interfaces that allow users to perform configuration and management operations, which are protected by username/password authentication to prevent unauthorized modifications.

The web server binary /bin/httpd contains an undocumented backdoor authentication mechanism in the login() function. Initially, the function follows a normal authentication path using MD5-based password verification. However, if authentication fails, the function invokes GetValue("sys.rzadmin.password") to retrieve an alternate password value from the device configuration. It then performs a direct strcmp() comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants role=2 admin-level access and creates a valid session.

The associated username is not validated, so any provided username will succeed when paired with the backdoor password. This backdoor authentication mechanism is not documented or visible through any administrative interface.

Impact

Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials. With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.

Solution

Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. Since a patch is unavailable, we can only offer mitigation strategies. The following workarounds can help mitigate this vulnerability's impact until a fixed version is released:

Disable remote management on your device
If your device supports remote web management, disable it. Disabling this feature prevents attackers on external networks from accessing your device’s administrative dashboard over the internet.

Restrict local network exposure
Changing the default LAN IP address may reduce opportunistic discovery by automated scanners that target known default IP ranges. Note that this measure does not prevent deliberate or targeted network scanning.

Acknowledgements

Thanks to the reporter who wishes to remain anonymous. This document was written by Bob Kemerer.

联系我们 contact @ memedata.com