igor - Fotolia

More than a million Netgear routers feared vulnerable to hijack

At least 10,000 and possibly more than a million Netgear routers are vulnerable to hijack by attackers, warn security researchers

Trustwave security researchers have discovered two vulnerabilities in 31 models of Netgear routers that allow attackers to bypass passwords and take over complete control of the devices.

“Many Netgear routers are prone to password disclosure via simple crafted requests to the web management server,” said a security advisory issued by Trustwave.

This means that at least 10,000 Netgear routers, and potentially a million or more, could be turned into botnets for Mirai-style distributed denial of service (DDoS) attacks.

Attackers could also exploit the newly-discovered vulnerabilities to change device configuration and even upload new firmware.

Despite the fact that routers are the first and sometimes last line of defence for a network, many manufacturers of home routers fail to audit their devices for security issues before releasing them to the market, said Simon Kenin, security researcher at Trustwave.

In a blog post, he described how he found a vulnerability (CVE-2017-5521) in one model of Netgear router using information about the vulnerability in two other models.

Kenin then wrote a Python script to discover how many other Netgear router models were affected, but a coding error uncovered a previously unknown vulnerability.

“I had an error in my code where it didn’t correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead, but somehow it still managed to get the credentials,” he wrote.

This meant that the first call to passwordrecovered.cgi will give out the credentials no matter what parameter is sent.

“This is totally new bug (TWSL2017-003) that I haven’t seen anywhere else,” said Kenin. “When I tested both bugs on different Netgear, I found that my second bug works on a much wider range of models.”

In accordance with Trustwave’s responsible disclosure, both findings were sent to Netgear in April 2016, but nearly nine months later, Netgear has released patches for only 18 vulnerable router models.

However, Kenin said Netgear had now committed to pushing out firmware to the currently unpatched models on an “aggressive timeline” and had set up a responsible disclosure programme through Bugcrowd.

“The second change made us more confident that Netgear was not just serious about patching these vulnerabilities, but serious about changing how they handle third-party disclosure in general,” he wrote.

Read more about Mirai

However, Kenin said the second vulnerability he had discovered was critical for four reasons. First, it affects a large number of Netgear models, which he said could be more than a million.

Second, the vulnerability could also be used by a remote attacker if remote administration is set to be internet-facing, and athough this setting is off by default, Kenin said anyone with physical access to a network with a vulnerable router could exploit it locally. This would include public Wi-Fi spaces such as cafés and libraries using vulnerable equipment.

Third, because many people reuse their password, having the admin password of the router gives someone an initial foothold on the network. “We can see all the devices connected to the network and try to access them with that same admin password,” Kenin wrote.

Fourth, with malware such as the Mirai botnet, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots. If running a bot is not possible, the DNS can easily be changed to a rogue one to infect all machines on the network.

Netgear said in a statement that it has been working with the security analysts to evaluate the vulnerability from the time they first contacted the company.

“After being notified of the vulnerability in April [2016], we released the first batch of fixes in June [2016] and prioritised the products based on the greatest number of customers or shipments,” the company said.

Since that time, Netgear said it has continued to release fixes for the remaining products, most of which are “older obsolete products” with a smaller install base.

However, Netgear said it has notified users of workarounds for all affected products when it issued the first batch of fixes to help ensure no one would be vulnerable pending the remaining fixes. 

Netgear also noted that its Knowledge Base Article lists the affected routers and the available firmware fixes.

Firmware fixes are currently available for the majority of the affected devices, the company said. To download the firmware release that fixes the password recovery vulnerability, users need to click the link for the model and visit the firmware release page for further instructions.

“For devices that are still pending final firmware updates, please continue employing the advised work around, which for most users requires no action to be taken,” Netgear said.

The company also highlighted that this vulnerability occurs only if an attacker has access to the internal network, which requires close physical proximity plus Wi-Fi password access, or when remote management is enabled on the router.

“Our routers are shipped from the factory with remote management turned off by default and can only be turned on through the advanced settings, so unless you have affirmatively enabled remote management on your router, no further action is required,” Netgear said.

The company said it appreciates having security concerns brought to its attention, which can be done through Bugcrowd. Customers with a security-related concern should contact Netgear’s security support team or consult the Netgear security information.

Trustwave recommends all users of Netgear equipment to check Netgear's Knowledge Base Article for instructions to test for the vulnerabilities and how to apply patched firmware if necessary.

News of the latest Netgear vulnerabilities comes just a month after a security researcher took advantage of a major vulnerability in several high-end Netgear routers to show how command injection attacks were possible on the R8000, R7000 and R6400 models, and others.

The Netgear vulnerability was patched soon after the exploit was made public, and Netgear released beta firmware updates for the affected routers, according to SearchSecurity.

Read more on Hackers and cybercrime prevention