Sign up to our newsletter
A security researcher has described how he uncovered a severe security hole in dozens of different Netgear routers, meaning that “hundreds of thousands, if not over a million” devices could be at risk of having their admin passwords stolen by hackers.
Simon Kenin, a researcher at Trustwave, has explained how sheer laziness on a cold and rainy winter night stopped him from getting out of bed and going downstairs to reboot his router. Instead, he stayed under the covers and investigated whether he could find a way to hack into the device’s web admin panel, having forgotten the access password.
Shockingly, Kenin discovered that all he had to do was send a simple web request to the router’s management software to retrieve its admin password, using two security flaws previously disclosed on other Netgear routers back in 2014.
When trying to access the web panel a user is asked to authenticate, if the authentication is cancelled and password recovery is not enabled, the user is redirected to a page which exposes a password recovery token. If a user supplies the correct token to the page http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router.
As it transpired, the router’s admin password could be retrieved even if the attacker does not send a legitimate password recovery token:
I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.
It’s bad enough that Kenin uncovered the router was vulnerable to that flaw when he was on the same Wi-Fi network, but what he also determined was that if the router’s option for remote management had been enabled, the vulnerability could also be exploited remotely by a malicious attacker.
Fortunately the opportunities for malicious hackers to exploit the flaw are stymied a little because the remote management feature is disabled on Netgear’s routers by default, but according to Kenin :hundreds of thousands, if not over a million” devices are accessible over the public internet, and should be considered to be at the greatest risk of exploitation.
In a support advisory, Netgear recommends that users check that their router’s firmware is fully up-to-date.
Kenin claims that dozens of Netgear routers are vulnerable to the security hole he uncovered if firmware is not patched:
Just last month we reported that CERT was warning of a different way in which Netgear routers could be remotely exploited.
Kenin believes that Netgear is taking the problems seriously. He responsibly disclosed the vulnerabilities to them last year, and reports that the company is “committed to pushing out firmware to the currently unpatched models on an aggressive timeline.”
In addition, Netgear has signed up with the Bugcrowd bug bounty service, providing a mechanism for vulnerability researchers to communicate more easily with the company’s security team and – potentially – earn rewards for details of the flaws that they find and responsibly disclose.
The end result should be, says Kenin, “a more secure line of products and services.”
Good for Netgear, but the truth is that all router manufacturers really need to start doing a better job of securing their devices. After all, the internet is made a less safe place for all of us as more and more poorly-secured devices are connected to it.
Author Graham Cluley, We Live Security