Easy-to-exploit authentication bypass flaw puts Netgear routers at risk

Thirty models are vulnerable and fixed firmware versions are only available for 20 of them.

For the past half year Netgear has been working on fixing a serious and easy-to-exploit vulnerability in many of its routers. And it's still not done.

While Netgear has worked to fix the issue, the list of affected router models increased to 30, of which only 20 have firmware fixes available to date. A manual workaround is available for the rest.

The vulnerability was discovered by Simon Kenin, a security researcher at Trustwave, and stems from a faulty password recovery implementation in the firmware of many Netgear routers. It is a variation of an older vulnerability that has been publicly known since 2014, but this new version is actually easier to exploit.

In January 2014, a researcher found that he could trick the web-based management interface of Netgear WNR1000v3 routers to disclose the admin's password. The exploit involved passing a numerical token obtained from one script called unauth.cgi to another called passwordrecovered.cgi. Neither of them required authentication to access.

Last year, Kenin came across this old exploit when he wanted to break into his own router -- a different Netgear model -- and realized that it worked. The researcher decided to write a script to automate the exploit so that other people could test their own router models, but due to a programming error the script didn't pass the correct token to passwordrecovered.cgi. Yet the exploit still worked.

"After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send," Kenin said in a blog post Monday. "This is a totally new bug that I haven't seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models."

Kenin claims that he reported the vulnerability to Netgear in early April and the company put out an advisory in June, along with patched firmware for "a small subset of vulnerable routers." Firmware fixes are now available for 20 models.

The company's workaround for routers that don't yet have patched firmware versions involves logging into their management interfaces and enabling the Password Recovery feature on the ADVANCED > Administration > Set Password page. The exploit only works when password recovery is disabled, which is the default setting.

Routers that are configured for remote administration over the internet are directly vulnerable to attacks that exploit this flaw. By obtaining admin credentials attackers can, at the very least, change a router's DNS server settings to redirect users to malicious websites.

However, this doesn't mean that routers whose web interfaces can only be accessed over the local area network -- the default setting -- are not at risk.

If vulnerable routers are used to provide wireless internet access in a public space like a library, a bar or a restaurant, anyone connecting to those networks can compromise them. People also routinely share their home Wi-Fi passwords with friends and family members who can bring compromised computers or smart phones into their networks.

There are also cross-site request forgery (CSRF) attacks that can hijack a user's browser when visiting a specially crafted web page and use it to send malicious requests to a router over the local area network.

"We have found more than ten thousand vulnerable devices that are remotely accessible," Kenin said. "The real number of affected devices is probably in the hundreds of thousands, if not over a million."

In an emailed statement, Netgear said, "This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability." The company added that firmware fixes are available for the majority of the affected devices and that users should follow the advised workaround for routers for which final updates are still pending.

The company did not clarify whether the list of affected router models in its advisory, which was last updated Friday, is final or if additional models might be added to it in the future.

Some of the affected models, like the C6300 router, which also has cable modem functionality, are distributed to customers by ISPs. Service providers also distribute firmware patches. Kenin found that the Lenovo-branded R3220 router uses Netgear firmware and is also vulnerable.

When it comes to security, Netgear is actually one of the better router manufacturers out there. Earlier this month the company launched a bug bounty program through the Bugcrowd platform.

Attacks against home routers have intensified over the past few years and powerful DDoS botnets like Mirai are now being built from compromised embedded devices. Unfortunately, the software running on such devices continues to be plagued by '90s-era vulnerabilities like command injection and buffer overflows and basic security features found in modern software, like automatic updates or sandboxing, are rare.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?