Netgear recently issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws.
Twenty of the patches address “high” vulnerability issues with the remaining 30 scored as “medium” security risks. Netgear posted advisories for the bugs to its website over the last two weeks.
Network security firm Beyond Security is credited by Netgear for discovering several of the vulnerabilities patched last week. One of the issues was a command injection vulnerability in the ReadyNAS Surveillance Application running on versions prior to 1.4.3-17 (x86) and 1.1.4-7 (ARM). A command injection attack can execute arbitrary commands on host operating systems via vulnerable applications that facilitate the passing of unsafe user supplied data (forms, cookies, HTTP headers) to a system shell.
“These are all vulnerabilities caused by what appears to be inadequate verification of user input, oversight on what should and should not require authentication, and improper mechanism of enforcing security on users accessing their product web interface,” Noam Rathaus, founder and CTO of Beyond Security said. “I believe much of Netgear products share the same codebase and same underlying code structure which is what causing many of their products to be vulnerable.”
“Some of the issues reported are pretty severe,” said Rakhmanov. One of those vulnerabilities (PSV-2017-1209) is a command injection security vulnerability tied to 17 consumer routers running vulnerable firmware.
“This vulnerability would allow any local user to take full control of the router,” Rakhmanov said. “Luckily ‘Remote Administration’ is not turned on by default, but if it were turned on manually this could make the router vulnerable to anyone on the Internet.”
Netgear told Threatpost that most of the vulnerabilities and patches disclosed last week were reported via the company’s bug bounty program, launched in January in partnership with Bugcrowd. Since inception, the company has made several disclosures via the program, including a password bypass bug found in hundreds of thousands of Netgear routers reported earlier this year.
In this most recent wave of disclosures, affected products range from networking gear used in IoT applications such as the ProSAFE M4300 Intelligent Edge Series switch to a consumer-grade Netgear D6400 Wireless Router.
“We are taking the security of our products very seriously and have been working closely with Bugcrowd to help monitor instances of potential security vulnerabilities,” said a Netgear spokesperson. “We work with Bugcrowd to identify potential vulnerabilities and release fixes in bulk, which is why you saw the quantity you did come across last week.”
The company said it is working on an automated processes for a more even distribution of disclosures in the future.
Netgear has faced criticism in past by Beyond Security’s Rathaus for allegedly dragging its feet when it comes to acknowledging technical claims of a vulnerability and the subsequent coordinated advisory.
From Trustwave’s vantage point Netgear is on the right track. “We’ve been working with Netgear through their responsible disclosure process for quite some time and watched them mature tremendously including their current participation in bug bounty programs,” Rakhmanov said.
Netgear isn’t the only networking equipment firm scrambling to patch bugs over the past year. Last month, independent researcher Pierre Kim found a wireless router made by D-Link had nearly one dozen critical vulnerabilities. In April, researchers at IOActive found more than 20 Linksys router models vulnerable to attacks that could allow a third party to reboot, lock out and extract sensitive router data from affected devices. ASUS reported in May vulnerabilities in 30 models of its popular RT routers.
Rathaus blames router and IoT vendors that, he claims, for years have put little effort into security, testing and hardening of products.
“Today using sites such as Shodan you can locate hundreds to hundreds-of-thousands of devices all vulnerable to serious bugs that allow compromising of the device without requiring any authentication or any information beside the IP address of the device,” Rathaus said.
Rathaus said researchers at the firm have reported 60 similar authentication bugs this year alone.
“Every once in a while something unique (a new type of vulnerability) shows up, but in numerous cases it’s the same type of vulnerabilities over and over again,” he said. “Vendors are not spending enough time tracking down these bugs before the product becomes public.”