Up to 31 Netgear rotuers impacted by remote access flaw that could leave your network a node in a botnet
As many as 31 Netgear routers were found to be subject to a vulnerability that could give an attacker access to the system and the management panel – and potentially set up a botnet.
Security researcher Simon Kenin at Trustwave discovered two separate flaws when he wanted to reset his own router but had forgotten the password to the web panel.
Although his particular model had no known vulnerabilities, he found two relating to a ‘unauth.cgi’ file he had discovered in his initial exploration. Using a number found in this file, he found he could retrieve his password from another file called ‘passwordrecover.cgi.’
He attempted the same technique with an older Netgear router and asked friends and colleagues if they had equipment from the same manufacturer. He created a piece of code that would allow them to test themselves if the router was vulnerable.
However, the program he distributed had an error, yet Kenin found routers were giving up the login credentials. This meant ‘passwordrecover.cgi.’ would yield its treasure no matter what parameters were thrown at it.
Trustwave found 10,000 routers that could be remotely accessed, but the true figure of those impacted is more likely to be hundreds of thousands, if not millions. If an attacker was to exploit this, it could in theory create a botnet capable of staging huge DDoS attacks, just like Mirai last year.
“The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing. By default this is not turned on,” said Kenin. “However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public wifi spaces like cafés and libraries using vulnerable equipment.
“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password.”
“With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network.”
Kenin submitted his findings to Netgear in April 2016, which issued firmware updates in phases. Now just one device is affected.
A number of security vendors have expressed concerns that router manufacturers are not securing their products effectively. Kenin said third party disclosures had been difficult with major manfuacturers but Netgear’s attitude on this occasion suggested a change in behaviour, especially it is now working with Bugcrowd.
Netgear told Silicon it had worked to eliminate the threat and welcomed the input of the cybersecurity community.
“Netgear is aware of the vulnerability (CVE-2017-5521), that has been recently publicised by TrustWave,” said a spokesperson. “This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability. Netgear has published a knowledge base article from our support page, which lists the affected routers and the available firmware fix.
“Firmware fixes are currently available for the majority of the affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for the model and visit the firmware release page for further instructions. For devices that are still pending final firmware updates, please follow the advised work around.
“Please note that this vulnerability occurs when an attacker can gain access to the internal network or when remote management is enabled on the router. Remote management is turned off by default; but can be turned on through the advanced settings.
“Netgear does appreciate and value having security concerns brought to our attention. We constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at Netgear.
“While the password disclosure issue is fairly low-severity, since the application is not exposed by default on the internet, and the attacker has only one chance to exploit it after a router reboot, the results of Trustwave’s coordinated disclosure work are impressive,” added Tod Beardsley, senior research manager at Rapid7.
“I’m happy to see that Netgear is taking responsibility for levelling up their disclosure handling procedures and partnering with BugCrowd, a reputable bug bounty organization that helps equipment manufacturers like Netgear get a handle on how future vulnerabilities are handled and disclosed. Other home and small business router vendors can learn a lot from these experiences.”
Last year, it was discovered Netgear routers were susceptible to a firmware flaw that left them exposed.
Are you a security pro? Try our quiz!