Tenda AC21 Unauthenticated Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Tenda AC21 router, specifically in version 16.03.08.16. The issue arises in the Web Management Interface, within a function of the file '/cgi-bin/DownloadFlash'. This vulnerability allows remote attackers to access sensitive information without authentication, by exploiting the lack of authorization checks in the specified function. The vulnerability has been publicly disclosed and is available for exploitation.

Impact

Exploitation of this vulnerability leads to unauthorized access to the router's firmware, including the operating system filesystem, kernel, bootloader, and sensitive configuration data such as account hashes, hardcoded credentials, and private keys.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/cgi-bin/DownloadFlash' endpoint on a Tenda AC21 router running version 16.03.08.16. This request can be made without any authentication, and it will trigger the router to download the entire flash memory image, which can then be saved and analyzed for sensitive information.

Remediation

Users are advised to implement firewall rules to restrict access to the Web Management Interface, allowing only trusted internal IP addresses to reach the management backend.