CVE-2019-5986 in Hikari Denwa
Summary
by MITRE
Cross-site request forgery (CSRF) vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005 and earlier, PR-S300SE/RT-S300SE/RV-S340SE firmware version Ver.19.40 and earlier, PR-400NE/RT-400NE/RV-440NE firmware version Ver.7.42 and earlier, PR-400KI/RT-400KI/RV-440KI firmware version Ver.07.00.1010 and earlier, PR-400MI/RT-400MI/RV-440MI firmware version Ver. 07.00.1012 and earlier, PR-500KI/RT-500KI firmware version Ver.01.00.0090 and earlier, RS-500KI firmware version Ver.01.00.0070 and earlier, PR-500MI/RT-500MI firmware version Ver.01.01.0014 and earlier, and RS-500MI firmware version Ver.03.01.0019 and earlier, and Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005 and earlier, PR-S300SE/RT-S300SE/RV-S340SE firmware version Ver.19.40 and earlier, PR-400NE/RT-400NE/RV-440NE firmware version Ver.7.42 and earlier, PR-400KI/RT-400KI/RV-440KI firmware version Ver.07.00.1010 and earlier, PR-400MI/RT-400MI/RV-440MI firmware version Ver. 07.00.1012 and earlier, PR-500KI/RT-500KI firmware version Ver.01.00.0090 and earlier, and PR-500MI/RT-500MI firmware version Ver.01.01.0011 and earlier) allow remote attackers to hijack the authentication of administrators via unspecified vectors.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/22/2020
This cross-site request forgery vulnerability affects a wide range of Hikari Denwa routers and home gateways manufactured by NTT East and NTT West corporations. The vulnerability exists in multiple firmware versions across various model series including PR-S300NE, PR-400KI, PR-500MI, and their respective variants. These devices operate within residential and small office environments, serving as critical network access points that handle sensitive telecommunications data and provide internet connectivity to users. The affected firmware versions span from early 2019 releases through several older iterations, indicating a prolonged period of exposure without adequate CSRF protection mechanisms.
The technical flaw manifests as a lack of proper anti-CSRF measures in the web-based administration interfaces of these devices. Attackers can exploit this weakness by crafting malicious web pages or links that, when visited by an authenticated administrator, automatically submit requests to the vulnerable router's administrative functions. This occurs because the router does not implement sufficient validation to distinguish between legitimate administrative requests originating from the device's own interface versus forged requests initiated from external domains. The vulnerability allows attackers to perform administrative actions without requiring valid credentials, effectively hijacking the administrator's authenticated session. This represents a classic CSRF attack pattern where the victim's browser automatically includes session cookies or authentication tokens when making requests to the target device, enabling unauthorized modifications to router configuration settings.
The operational impact of this vulnerability is significant for both individual users and network administrators. An attacker who successfully exploits this vulnerability could gain complete control over the affected router, potentially leading to unauthorized network access, modification of firewall rules, DNS configuration changes, or even complete network disruption. The vulnerability particularly affects users who maintain administrative access to their home or small office networks, as these routers often serve as the primary gateway for internet connectivity and may be configured with sensitive network parameters. Additionally, the widespread deployment of affected models across multiple NTT service providers means that a large number of users could be simultaneously vulnerable. The attack vector is particularly dangerous because it requires no special privileges or access to the local network, as the exploitation can occur remotely through web-based attacks that target the router's administrative interface.
Mitigation strategies for this vulnerability should focus on immediate firmware updates from NTT or device manufacturers, as these updates typically include proper CSRF token implementation and session management controls. Organizations and individuals should also consider implementing network segmentation to isolate critical devices from general internet access, and deploying additional authentication layers such as two-factor authentication where available. Network administrators should regularly audit router configurations and monitor for unauthorized changes, while also ensuring that default administrative credentials are changed and that unnecessary administrative services are disabled. This vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery weaknesses in web applications and systems. The attack pattern corresponds to techniques described in the MITRE ATT&CK framework under the T1078 credential access and T1566 initial access categories, particularly focusing on the exploitation of web application vulnerabilities to gain unauthorized administrative access to network infrastructure devices.