Tenda RX2 Pro Cleartext Transmission of Symmetric AES Key Vulnerability

A vulnerability exists in the Tenda RX2 Pro router's web management portal, specifically in version 16.03.30.14. The issue arises from the cleartext transmission of sensitive information, allowing an attacker to intercept and decrypt traffic between the client and server. This is possible because the symmetric AES key used for encryption is sent in cleartext after successful authentication. The initialization vector (IV) used in the encryption process is always the same, further compromising the security of the transmission.

Impact

Exploitation of this vulnerability allows for the interception and decryption of encrypted traffic between the client and the Tenda RX2 Pro router's web management portal.

Reproduction

After authenticating with the web management portal, the AES key is transmitted in cleartext. This key can be intercepted and used to decrypt any collected encrypted traffic. The IV used in the encryption is static and known, allowing for straightforward decryption of the intercepted data.