NetGore: Simple Flaw Affects Hundreds of Thousands of Netgear Devices

Trustwave said that a serious and easy to abuse flaw affects more than 30 models of Netgear routers totaling hundreds of thousands of devices, globally.

In-brief: Weeks after the Federal Trade Commission sued the firm D-Link for weak security in its broadband routers, dozens of routers made by the firm NetGear are reported to also be vulnerable to trivial hacking attacks. Small businesses including restaurants and cafés are heavy users of the devices and may be particularly vulnerable, according to experts at the firm Trustwave.

Weeks after the Federal Trade Commission sued the firm D-Link for what it says is weak security in its home, broadband routers, dozens of routers made by the firm NetGear are reported to also be vulnerable to trivial hacking attacks. Small businesses including restaurants and cafés are heavy users of the devices and may be particularly vulnerable, the company warned.

Research by the firm Trustwave found that thirty-one models of NetGear routers contain a flaw that could allow a remote attacker on one on the same network as the router to bypass the authentication feature of the devices and take control of them. The flaw affects more than 10,000 devices that can be accessed from the public Internet, but the real number of devices may number in the hundreds of thousands, according to a post by Trustwave SpiderLabs Security Researcher Simon Kenin.

Kenin said his research into Netgear routers started with a model in his own home but expanded to include more than 30 models by the manufacturer. The models are prone to a password disclosure that allows anyone to craft a simple request to the web management server on the device. The bug is exploitable remotely if the remote management option is set. It can also be exploited by a user on the same local- or wide area network as the router, Trustwave warned. Remote access to Netgear is disabled by default, but can be enabled by users, the company said. The vulnerability is very easy to trigger on any device where the ‘password recovery’ feature is not enabled, Kenin warned.

When trying to access the web panel a user is asked to authenticate, if the authentication is cancelled and password recovery is not enabled, the user is redirected to a page which exposes a password recovery token. If a user accesses a password recovery page on the router and supplies the leaked token value, they will receive the administrative password for the router. Because the password recovery feature is not on by default, most Netgear routers are left vulnerable to the flaw, said Karl Sigler, the Threat Intelligence Manager for Trustwave.

The affected devices are mostly wi-fi equipped routers that act as a bridge between wireless networks and a wired Ethernet Internet connection. Small businesses and home office (often referred to as SoHo) customers are likely to feel the brunt of attacks, as they are the most common users of the low-cost Netgear equipment, Sigler said. Anyone who connects to the wireless network controlled by a vulnerable Netgear router could gain access to the administrator console for the device. That would allow them to view and attack other devices connected to the hot spot. A more common hack would be to change the DNS (Domain Name System) server used by the device to one controlled by the attacker. That way, any web browsing would be filtered through the attacker’s DNS server, enabling drive by download attacks or other mischief.

Some of the company’s most popular models are affected, including the R8500, R8300, R7000, R6700, R6900, R8000, R7900, R6400, and R7100LG routers.

The vulnerability is similar to another authentication bypass in software by the firm Xiongmai Technologies that runs on IP enabled cameras and digital video recorders (DVRs) that made up the Mirai botnet. That flaw allowed anyone who knew the Internet address of an Internet connected device to directly access the management console for the device without first logging in.

Trustwave first reported the vulnerability to Netgear in April, 2016. Since then the company has acknowledged the hole and issued software updates to address it in at least some models. Patches for 19 models of broadband routers.  Twelve more models of routers and DSL gateways are affected, but do not have a firmware update that addresses the flaw. For those, the company recommends enabling the password recovery feature and disabling remote access, which will protect the devices from the kinds of attacks Trustwave described.

Zigler said the company, which was initially reluctant to move quickly to address security holes, became more responsive as the extent of the flaw became clear. Patches that had initially taken months for Netgear to release were soon completed in weeks, Zigler said. Also, Netgear introduced a formal bug bounty program using the company Bugcrowd. In December, Netgear moved to patch small office and home routers following a warning by Carnegie Mellon University’s CERT about an “arbitrary command injection” vulnerability in the latest version of firmware used by the wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site.

Broadband routers and wi-fi hotspots are the canary in the coal mine of the Internet of Things: a vast and already deployed ecosystem of connected, embedded systems. Flaws in routers are dangerous because they give attackers both a foothold on home and small business networks and access to other devices connected to those networks. In recent years, cyber criminal gangs have started to focus attention on broadband modems and other small, embedded computers, enrolling them in global botnets that are used to distribute malware and spam or launch denial of service attacks.

Comments are closed.