Password-stealing security hole discovered in many Netgear routers

Password-stealing security hole discovered in many Netgear routers

A security researcher has described how he uncovered a severe security hole in dozens of different Netgear routers, meaning that "hundreds of thousands, if not over a million" devices could be at risk of having their admin passwords stolen by hackers.

A security researcher has described how he uncovered a severe security hole in dozens of different Netgear routers, meaning that “hundreds of thousands, if not over a million” devices could be at risk of having their admin passwords stolen by hackers.

A security researcher has described how he uncovered a severe security hole in dozens of different Netgear routers, meaning that “hundreds of thousands, if not over a million” devices could be at risk of having their admin passwords stolen by hackers.

Simon Kenin, a researcher at Trustwave, has explained how sheer laziness on a cold and rainy winter night stopped him from getting out of bed and going downstairs to reboot his router. Instead, he stayed under the covers and investigated whether he could find a way to hack into the device’s web admin panel, having forgotten the access password.

Shockingly, Kenin discovered that all he had to do was send a simple web request to the router’s management software to retrieve its admin password, using two security flaws previously disclosed on other Netgear routers back in 2014.

When trying to access the web panel a user is asked to authenticate, if the authentication is cancelled and password recovery is not enabled, the user is redirected to a page which exposes a password recovery token. If a user supplies the correct token to the page http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router.

As it transpired, the router’s admin password could be retrieved even if the attacker does not send a legitimate password recovery token:

I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.

It’s bad enough that Kenin uncovered the router was vulnerable to that flaw when he was on the same Wi-Fi network, but what he also determined was that if the router’s option for remote management had been enabled, the vulnerability could also be exploited remotely by a malicious attacker.

Fortunately the opportunities for malicious hackers to exploit the flaw are stymied a little because the remote management feature is disabled on Netgear’s routers by default, but according to Kenin :hundreds of thousands, if not over a million” devices are accessible over the public internet, and should be considered to be at the greatest risk of exploitation.

Ugh!

In a support advisory, Netgear recommends that users check that their router’s firmware is fully up-to-date.

Kenin claims that dozens of Netgear routers are vulnerable to the security hole he uncovered if firmware is not patched:

  • AC1450 V1.0.0.34_10.0.16 (Latest)
  • AC1450 V1.0.0.22_1.0.10
  • AC1450 V1.0.0.14_1.0.6
  • D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)
  • D6400 V1.0.0.34_1.3.34
  • D6400 V1.0.0.38_1.1.38
  • D6400 V1.0.0.22_1.0.22
  • DC112A V1.0.0.30_1.0.60 (Latest)
  • DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)
  • JNDR3000 V1.0.0.18_1.0.16 (Latest)
  • R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)
  • R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)
  • R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)
  • R6300 V1.0.2.78_1.0.58 (Latest)
  • R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
  • R6300v2 V1.0.3.30_10.0.73
  • R6700 V1.0.1.14_10.0.29 (Latest beta)
  • R6700 V1.0.0.26_10.0.26 (Latest stable)
  • R6700 V1.0.0.24_10.0.18
  • R6900 V1.0.0.4_1.0.10 (Latest)
  • R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
  • R8300 V1.0.2.48_1.0.52
  • R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)
  • R8500 V1.0.2.26_1.0.41
  • R8500 V1.0.0.56_1.0.28
  • R8500 V1.0.0.20_1.0.11
  • VEGN2610 V1.0.0.35_1.0.35 (Latest)
  • VEGN2610 V1.0.0.29_1.0.29
  • VEGN2610 V1.0.0.27_1.0.27
  • WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)
  • WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)
  • WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
  • WNDR4000 V1.0.2.4_9.1.86 (Latest)
  • WNDR4500 V1.0.1.40_1.0.68 (Latest)
  • WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
  • WNDR4500v2 V1.0.0.42_1.0.25
  • WGR614v10 V1.0.2.60_60.0.85NA (Latest)
  • WGR614v10 V1.0.2.58_60.0.84NA
  • WGR614v10 V1.0.2.54_60.0.82NA
  • WN3100RP V1.0.0.14_1.0.19 (Latest)
  • WN3100RP V1.0.0.6_1.0.12
  • Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
  • Lenovo R3220 V1.0.0.13_1.0.13

Just last month we reported that CERT was warning of a different way in which Netgear routers could be remotely exploited.

Kenin believes that Netgear is taking the problems seriously. He responsibly disclosed the vulnerabilities to them last year, and reports that the company is “committed to pushing out firmware to the currently unpatched models on an aggressive timeline.”

In addition, Netgear has signed up with the Bugcrowd bug bounty service, providing a mechanism for vulnerability researchers to communicate more easily with the company’s security team and – potentially – earn rewards for details of the flaws that they find and responsibly disclose.

The end result should be, says Kenin, “a more secure line of products and services.”

Good for Netgear, but the truth is that all router manufacturers really need to start doing a better job of securing their devices. After all, the internet is made a less safe place for all of us as more and more poorly-secured devices are connected to it.

Discussion