[peterwwillis]

Seems like this only affects the LAN interface. Since most people aren't trying to break into your computer just to break into your cable modem, this shouldn't be considered a high priority exploit.

Malware changing the DNS server on your router's DHCP server could be bad for you. But even though malware on your desktop attacking your network is bad, what's worse is there's malware on your desktop.

[Nacraile]

"Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts"

It doesn't look like this is LAN-only.

Even if it were, an escalation from unprivileged code execution on a single device to MITM any connection out of a network hardly seems "low priority".

[johncolanduoni]

I'm guessing they used Shodan to locate the models they knew were affected (i.e. by model numbers), not to try the backdoor on unsuspecting devices (which would be illegal).

[rogerbinns]

Just because you can't of a useful use by the bad guys, doesn't mean they can't :-) It is also quite possible the bad guys have figured out how to exploit this using regular Javascript - ie you don't need malware in your LAN, just Javascript in a browser.

[peterwwillis]

Assuming you could exploit the browser's JS to submit such a request (I thought I remembered seeing a security feature of modern browsers to prevent this?) and assuming the web interface requires no authentication, you would only be able to enable WAN HTTP access. The telnet and ssh still appear to be LAN-only. And you still need the serial number to generate a password (does the web interface even show that?). I don't see a viable drive-by attack vector other than malware.

edit It does look like telnet can be accessed via WAN, which is pretty bad.

[rogerbinns]

There is a same origin policy and CORS. Sometimes cross site stuff is supposed to work (JSONP). In some cases the request is made to the non-origin site, and the response is then blocked based on returned headers. That however doesn't stop the request's side effects. A few years ago there were a round of hacks against many home routers doing this, exploiting vulnerabilities in their web admin interfaces. I stand by my first sentence in my first comment.

[amjo324]

Yes, this class of web vulnerability is called Cross-Site Request Forgery or CSRF (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%...). The Same Origin Policy (SOP) prevents one domain from receiving the HTTP responses for requests it sends to other domains. As you suggest however, the request itself can sometimes be enough to cause adverse side effects on the target server (that may be beneficial to an attacker).

It continues to be a common security issue among web applications and is why all sensitive actions should be protected with unique anti-CSRF tokens (most good development frameworks provide support for this).

If you need to relax SOP restrictions between sites you control, the modern and recommended way is via Cross Origin Resource Sharing or CORS (https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_con...).

[oasisbob]

Yup!

DNS rebinding attacks are useful for things like this: https://en.wikipedia.org/wiki/DNS_rebinding