Tenda AC8 Authentication Bypass Vulnerability via IPv6 Handling

An authentication bypass vulnerability has been identified in the Tenda AC8 router running firmware version 16.03.50.11. The issue arises in the IPv6 Handler component, specifically within the check_is_ipv6 function. This vulnerability allows the router to skip authentication checks, including cookie validation and password verification, for requests received over IPv6. The flaw can be exploited remotely by appending a specific query parameter to the URL, granting unauthorized access to administrative functions. Exploitation of this vulnerability can be automated with a publicly available proof-of-concept script.

Impact

Exploitation of this vulnerability allows for unauthenticated access to all administrative handlers on the router via IPv6. This includes sensitive functions such as password management, WiFi configuration, and firmware updates. The vulnerability can also be leveraged to enable Telnet access, providing root-level control over the device.

Reproduction

The vulnerability can be reproduced by sending an HTTP request over IPv6 link-local addressing to the router's web server. The request must include the 'goform/' and 'fast_setting_wifi_set' substrings in the URL. This can be done manually or by using the available proof-of-concept script, which automates the process and includes options to change passwords or WiFi settings.

Remediation

It is recommended to apply restrictive firewall rules to block unauthorized access to the router's administrative interfaces.