Tenda AC10 V4 RSA Private Key Exposure Vulnerability

A vulnerability exists in the Tenda AC10 V4 router running firmware version 16.03.10.10_multi_TDE01. The issue arises from an unencrypted RSA 2048-bit private key being stored in a web-accessible directory. This key, used by the device's HTTP TLS server, can be accessed remotely without authentication. The exposure of this private key allows for the decryption of HTTPS traffic to and from the device, including admin credentials. The corresponding certificate is self-signed and uses a deprecated SHA-1 signature, further complicating the issue.

Impact

Exploitation of this vulnerability allows for the decryption of HTTPS traffic, including admin sessions, and the capture of admin credentials submitted via the login page. Additionally, an attacker can impersonate the router to clients using a valid-looking certificate.

Remediation

It is recommended to move the private key outside of the web root to prevent HTTP access, apply strict file system permissions to restrict access to the key, and replace the self-signed SHA-1 certificate with a SHA-256 certificate.