Description Preview
A critical authentication vulnerability was discovered in Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The issue stems from a format error in the /etc/shadow file combined with a logic bug in the LuCI - OpenWrt Configuration Interface framework. This vulnerability allows an attacker to gain unauthorized access to the router's management interface by exploiting an undocumented system account called "mofidev" through a forgotten-password feature, effectively bypassing authentication controls.
Overview
The vulnerability (CVE-2020-13859) affects Mofi Network MOFI4500-4GXeLTE routers running firmware version 4.0.8-std. The issue involves an improperly configured system account combined with a logic flaw in the authentication mechanism. The undocumented "mofidev" account can be used to access the cgi-bin/luci/quick/wizard management interface without requiring a password by exploiting the router's forgotten-password functionality. This vulnerability is classified as CWE-287 (Improper Authentication) and CWE-755 (Improper Handling of Exceptional Conditions), allowing attackers to gain administrative control over the affected device.
Remediation
To address this vulnerability, users should:
- Update the router's firmware to the latest version available from Mofi Network's official website.
- Check Mofi Network's security advisory page for specific patch information.
- If updates are not available, consider implementing network-level protections:
- Place the router behind another security device if possible
- Restrict management interface access to trusted IP addresses only
- Monitor for unauthorized access attempts
- Change default credentials for all accounts
- Consider disabling remote management if not required.
References
- Mofi Network Security Advisory: https://mofinetwork.com/index.php?main_page=page&id=14
- Critical Start Technical Analysis: https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/
- CWE-287: Improper Authentication - https://cwe.mitre.org/data/definitions/287.html
- CWE-755: Improper Handling of Exceptional Conditions - https://cwe.mitre.org/data/definitions/755.html
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
