固件安全审计报告

UGW 19.07.1 r10911-c155900f66

NYARC-US_AX12V1.0IN_V22.0-2026-04-23

报告日期:2026-04-23

样本: US_AX12V1.0in_V22.03.01.16_cn_TDC01.bin

🔒 机密 — 仅供授权人员查阅

目录

1. 执行摘要

81 / 100
4
严重
0
高危
2
中危
0
低危/信息

2. 测试范围与方法

项目详情
固件版本UGW 19.07.1 r10911-c155900f66
样本文件US_AX12V1.0in_V22.03.01.16_cn_TDC01.bin
MD5b987b5095dfebdf34bdafad9329d4185
SHA-256f170ea8a4382e889296d617cf72dada3a5db50eea62545cb85cbd301d33dd95e
文件大小10.8MB
扫描时间2026-04-23
工具Nyarc v1.1.0

3. 发现总览

#级别CVSS发现
1MEDIUM5.3用户 'root' 使用 MD5crypt 弱哈希
2CRITICAL5.3OpenSSL libcrypto.so.1.0.0 — 已停止维护
3CRITICAL7.5OpenSSL 1.0.0 — 已停止维护
4CRITICAL9.1私钥泄露: /www/pem/privkeySrv.pem
5MEDIUM5.3用户 'root' 使用 MD5crypt 弱哈希
6CRITICAL7.5OpenSSL 1.0.0 — 已停止维护

4. 详细发现

1. 用户 'root' 使用 MD5crypt 弱哈希MEDIUM (CVSS 5.3)
描述
MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)
证据
/etc/shadow: root:$1$AN2CKJxY$wuXE4IKo...
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2. OpenSSL libcrypto.so.1.0.0 — 已停止维护CRITICAL (CVSS 5.3)
描述
OpenSSL 1.0.x is EOL since 2020, multiple known CVEs including RCE
证据
/usr/lib/libcrypto.so.1.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3. OpenSSL 1.0.0 — 已停止维护CRITICAL (CVSS 7.5)
描述
OpenSSL 1.0.x is EOL since 2020, multiple known CVEs including RCE
证据
/usr/lib/libssl.so.1.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4. 私钥泄露: /www/pem/privkeySrv.pemCRITICAL (CVSS 9.1)
描述
Private key found in firmware. Anyone with the firmware can impersonate this service.
Private Key: /www/pem/privkeySrv.pem (2048-bit RSA)
Certificate: /www/pem/privkeySrv.pem
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
5. 用户 'root' 使用 MD5crypt 弱哈希MEDIUM (CVSS 5.3)
描述
MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)
证据
/etc/shadow: root:$1$AN2CKJxY$wuXE4IKo...
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6. OpenSSL 1.0.0 — 已停止维护CRITICAL (CVSS 7.5)
描述
OpenSSL 1.0.x 已于 2020 年停止维护,存在大量已知漏洞(含远程代码执行)
证据
/usr/lib/libssl.so.1.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5. 外连通信分析

域名分类引用
dynamic.zoneedit.com🟡 system
  • /usr/bin/inadyn
    • freedns.afraid.org🟡 system
  • /usr/bin/inadyn
    • members.dyndns.org🟡 system
  • /usr/bin/inadyn
    • link.dipserver.com🟡 system
  • /usr/bin/88ip
    • checkip.dyndns.org🟡 system
  • /usr/bin/inadyn
    • ip1.dynupdate.no🟡 system
  • /usr/bin/inadyn
    • time.windows.com🟡 system
  • /usr/sbin/httpd
    • cloud.tenda.com🟡 cloud
  • /usr/lib/libcloud.so
    • dynupdate.no-ip.com🟡 system
  • /usr/bin/inadyn
    • www.tendacn.com🟢 frontend
    21 files
    • /www/js/wifi_power.js
    • /www/lang/brpt/translate.json
    • /www/lang/cn/translate.json
    • /www/lang/cs/translate.json
    • /www/lang/de/translate.json
    • /www/lang/es/translate.json
    • /www/lang/fr/translate.json
    • /www/lang/hu/translate.json
    • /www/lang/it/translate.json
    • /www/lang/ko/translate.json
    • /www/lang/laes/translate.json
    • /www/lang/nl/translate.json
    • /www/lang/pl/translate.json
    • /www/lang/pt/translate.json
    • /www/lang/ro/translate.json
    • /www/lang/ru/translate.json
    • /www/lang/tr/translate.json
    • /www/lang/uk/translate.json
    • /www/lang/zh/translate.json
    • /www/printer.html
    • /www/status_extender.html
    www.tenda.com🟢 frontend
    6 files
    • /usr/sbin/httpd
    • /usr/sbin/miniupnpd
    • /www/goform/GetRouterStatus.txt
    • /www/index.html
    • /www/js/main.js
    • /www/printer.html
    www.intel.com🟢 frontend
    3 files
    • /lib/firmware/LICENSE
    • /lib/netifd/hostapd.sh
    • /opt/intel/wave/images/LICENSE
    downloads.sourceforge.net🟢 config
    2 files
    • /etc/hotplug/README
    • /etc/hotplug.d/README
    wiki.openwrt.org🟢 docs
    2 files
    • /usr/lib/opkg/info/6rd.control
    • /usr/lib/opkg/info/ds-lite.control
    www.memtest86.com🟢 frontend
    2 files
    • /usr/lib/libbz2.so.1.0
    • /usr/lib/libbz2.so.1.0.8
    forum.openwrt.org🟢 config
    2 files
    • /etc/os-release
    • /usr/lib/os-release
    users.sourceforge.net🟢 package
    2 files
    • /usr/lib/opkg/info/safeclibs.control
    • /usr/lib/opkg/info/safeclibs3.control
    bugs.openwrt.org🟢 config
    2 files
    • /etc/os-release
    • /usr/lib/os-release
    yuancheng.xunlei.com🟢 unknown
    2 files
    • /www/js/thunder.js
    • /www/xunleiDownload.html
    phddns60.oray.net🟢 config
    2 files
    • /etc/ddns/ddns.sh
    • /usr/bin/phddns
    www.tendawifi.com🟢 frontend
    2 files
    • /www/js/index.js
    • /www/js/network-diagnose.js
    www.iana.org🟢 frontend
    2 files
    • /etc/ethertypes
    • /etc/protocols
    www.no-ip.com🟢 frontend
  • /usr/bin/inadyn
    • tcp.example.com🟢 config
  • /etc/dnsmasq.conf
    • wifi.yunos.com🟢 unknown
  • /www/js/index.js
    • g.data.net🟢 unknown
  • /www/js/index.js
    • ce.top-b3.top🟢 unknown
  • /www/js/libs/j.js
    • pajhome.org.uk🟢 unknown
  • /www/js/libs/md5.js
    • fokus.fraunhofer.de🟢 unknown
  • /lib/functions.sh
    • www.upnp.org🟢 frontend
  • /usr/sbin/miniupnpd

    • 6. 加固建议

    建议:审查所有外连通信,更换默认凭据,升级过时的加密库。

    Nyarc v1.1.0 — Firmware Reverse Engineering Console

    机密 | 2026-04-23