SSD Advisory – Geneko Routers Information Disclosure

Vulnerability Summary
The following advisory describes an information disclosure vulnerability found in Geneko Routers version 3.18.21
Geneko GWG is “compact and cost effective communications solution that provides cellular capabilities for fixed and mobile applications such as data acquisition, smart metering, remote monitoring and management. GWG supports a variety of radio bands options on 2G, 3G and 4G cellular technologies.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We tried to contact Geneko since August 2 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.

Vulnerability Details
If the administrator has previously backed up the configuration file, then the attacker can access

https://IP/configuration/confFile.bkg

And get the configuration file with the admin password.