A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited.
Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the companies that privately disclosed that it addressed the problem adequately.
Alexandre Herzog, CTO of Compass Security Schweiz Ltd., of Switzerland, told Threatpost that the unnamed victim became aware of the attack upon investigating the reasons behind some router instability. They discovered that all of their DNS queries had been redirected to the attacker’s server. The victim provided Compass with the IP address of one of the command and control servers involved in the attack. Herzog said his company was able to download data from the attacker’s server and determined that more than 10,000 other routers had already been exploited.
Herzog said Compass informed Switzerland’s national GovCERT, which said it has begun action to shut down the attacker’s server, had contacted Netgear about new firmware and contacted Internet service providers in order to patch infected routers; most of the victims, GovCERT said, are in the United States. Herzog said GovCERT has been unsuccessful in reaching Netgear.
An email from Threatpost to Netgear went unanswered prior to publication.
Daniel Haake of Compass discovered and privately disclosed the vulnerabilities in July; in late September, researchers at Shellshock Labs also discovered and publicly disclosed the flaws.
The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_126.96.36.199_1.0.1.img, and N300-188.8.131.52_1.0.1.img. The flaw allows an attacker, without knowing the router password, to access the administration interface.
“The only pre-requisite for the attack is that the attacker can reach the web management interface, which is attainable by default in the internal network,” Herzog said. “With enabled remote administration (not by default), the attack just needs to be connected to the Internet to exploit the flaw. An attacker with physical access to the router can subvert it anyway.”
With full access to the admin page and settings, an attacker could man-in-the-middle network traffic, reconfigure DNS settings to redirect traffic to a third-party server, or downgrade SSL communication using a number of available tools such as SSLstrip developed by Moxie Marlinspike.
Compass explained in its advisory that an attacker need only call a particular URL multiple times after initially failing to authenticate against the router; eventually they would gain access to the administration interface without going through a prompt to enter credentials.
According to the timeline on the advisory, Netgear was notified July 21 via email and July 23 via chat support, which the next day redirected notification to Netgear’s technical team. Next, almost a month after a request for a status update was made and ignored on July 29, Compass put Netgear on notice it would disclose details after 90 days. On Sept. 3, Netgear sent Compass a beta firmware to determine if the issue had been patched adequately, which Compass said it did. Six days later, NETGEAR told Compass it would not disclose a release date for the updated firmware. In the meantime, Shellshock Labs disclosed Sept. 29, prompting Compass to follow suit yesterday.
“Probably the hardest part is to build and ship the new firmware, and get all customers to install it,” Herzog said. “The way the authentication works on the router seems highly complicated for nothing, so maybe I’m underestimating the effort. But this is more a question for Netgear, who did not provide any justification of their delays.”