TRENDnet Devices Bundle Infamous scfgmgr Service

January 11, 2016 By Risk Based Security

trendnet-logoEarlier this month, we encountered an older TRENDnet N300 Wireless Hot Spot Access Point (TEW-636APB) and decided to extract the firmware to take a closer look at it. For those, who do not recall, TRENDnet is the vendor that was slapped by the FTC in 2014.

Under the terms of the settlement with the Commission, TRENDnet was:

  • prohibited from misrepresenting the security of its cameras
  • required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access
  • required to obtain third-party assessments of its security programs every two years for the next 20 years.
  • required to notify customers of security issues and updates available to correct any flaw

This settlement was an attempt to ensure that TRENDnet improved the security of their products. It should be noted, however, that their devices were not really in any worse shape than what we regularly see from many device vendors.

When looking at the firmware, we immediately spotted that the device on boot launches the infamous scfgmgr service, which basically acts as a backdoor into the device. The service has previously been reported in various devices from primarily NETGEAR, Cisco, and Linksys. It was, therefore, interesting to also find it in a product from TRENDnet and fostered the question: "How many TRENDnet models are affected?". Especially when considering the FTC case.

To answer the question, we wrote a tool to download all available firmware images from TRENDnet (a total of 924), unpack and extract them using Binwalk, and then search for the presence of the scfgmgr service. The results were positive, as we only found the service in the latest firmware images for a few other TRENDnet device models, which all seem to have been discontinued prior to the FTC case.

Hopefully, use of affected device models in home and enterprise networks is very limited. Anyone still using one of these should consider replacing them with a still supported device immediately, or if not able to do so then at least ensure traffic to the backdoor service is blocked.

It should be noted that the service was previously reported to listen on TCP port 32764. That is not the case for the TRENDnet devices. A table of affected devices, firmware versions, and the port that the service listens on can be found below:

MODEL FW VERSION PORT
TEW-636APB (Version V1.0R) 1.0.0.5 32764/UDP
TEW-435BRM (Version D1.1R) 1.0.1.2 64639/TCP
TEW-435BRM (Version C1.0R) 1.00.06 64639/UDP
TEW-435BRM (Version B1) 2.00.07 64639/UDP
TW100-BRM504 (Version B1) 2.00.05 64639/UDP

We can't rule out that other models also were affected at some point and silently fixed. It's, therefore, advisable to ensure any used TRENDnet devices (as with devices in general) regardless of model are running the latest firmware versions.

If you need help monitoring and tracking vulnerabilities in your IT infrastructure or better manage your vendors we would welcome the opportunity to do a demo of our Vulnerability Intelligence (VulnDB) and Cyber Risk Analytics (CRA) solutions. If your organization wants an evaluation of a product e.g. internally developed or used in your IT infrastructure, we can also assist with product assessments as well as conducting network vulnerability assessments and penetration tests.

For more information, please contact us via email or call 855-RBS-RISK.

Filed Under: Research, Vulnerabilities, News

Subscribe to Email Updates