Netgear Mitigates New Router Holes

Friday, February 3, 2017 @ 05:02 PM gHale

Netgear issued patches for most of the vulnerable routers or has provided workarounds to mitigate the threat for older models after a researcher found holes in 31 models of Netgear routers that could allow hackers to take over devices.

The flaws could allow an attacker to discover or completely bypass any password on a Netgear router, giving them complete control of the router, including the ability to change configuration, turn infected routers into botnets or even upload entirely new firmware.

Netgear Updates Wireless Router Firmware, Again
Netgear Updates Router Firmware
Netgear Working to Patch Routers
Nagios Core Monitoring Tool Patched

These new bugs come on the heels of flaws discovered in Netgear devices in December.
The most recent vulnerabilities ended up discovered one day when Simon Kenin, security researcher at Trustwave, was trying to access the web interface of his Netgear VEGN2610 router and couldn’t remember the password for it.

When he started “manually fuzzing” the web server with different parameters, he found a file called “unauth.cgi”.

“I started looking up what that “unauth.cgi” page could be, and I found two publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need,” he said in a blog post. “Those two guys found out that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials.”

Kenin said he tested it with a different Netgear router and got the same results. He said he even made an error in coding and still managed to unearth credentials.

“This is a totally new bug that I haven’t seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models.”

Kenin said the flaws affect quite a few models.

Netgear said it made patches and workarounds available to mitigate password bypass threat that potentially impacted 1 million devices:

“NETGEAR is aware of the vulnerability (CVE-2017-5521), that has been recently publicized by TrustWave. This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability from the time they first contacted us. After being notified of the vulnerability in April, we released the first batch of fixes in June and prioritized the products based on the greatest number of customers or shipments.

“Since that time we have continued to release fixes for the remaining products, most of which are older obsolete products with a smaller install base, although it is important to note that we notified users of workarounds for all affected products contemporaneously with the first batch of fixes in June, so no one would be vulnerable pending the remaining fixes.”

The vulnerability can end up used by a remote attacker if remote administration is set to be Internet facing. By default, this is not turned on. However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces.

Kenin said there is a full description of the flaws as well as a testing script.

Leave a Reply

You must be logged in to post a comment.