Researchers discovered as many as 10,000 routers had been taken over, according to data lifted from one of the command and control servers involved in an attack against a victim investigated by Compass Security Schweiz Ltd., of Switzerland.
Researchers involved in the initial private disclosure to Netgear said the networking gear manufacturer had shared a beta firmware with them on Sept. 3, but never disclosed when it would publish the patched firmware. This was after Compass researchers informed Netgear that a 90-day disclosure deadline would expire this month.
However, on Sept. 29, researchers at Shellshock Labs disclosed some details, prompting Compass to do the same last week.
The updated firmware was released last night and affects versions JNR1010v2, WNR2000v5, JWNR2010v5, WNR614, WNR618, WNR1000v4, WNR2020, and WNR2020v2.
Router vulnerabilities and takeovers have been a security epidemic in the past 18 months with numerous critical bugs affecting almost manufacturers and products. Some vendors, for example, have built excessive features into their gear that is largely insecure, guarded either by weak or non-existent default credentials, or shoddy encryption.
The risk to business and home users is that an attacker in control of a router can redirect incoming and outgoing traffic by changing DNS configurations, or sit in a man-in-the-middle position and spy on supposedly protected traffic.
The so-called pharming attacks have been a serious threat, in particular in Brazil, according to researchers at Kaspersky Lab, who used pharming as one phase of a complex scheme to steal banking credentials.
The Netgear-related attacks were reported to Switzerland’s national GovCERT which told the consultancy that it would begin action to take the command and control servers offline. Most of the victims, Compass CTO Alexandre Herzog said, are in the United States.
Daniel Haake of Compass discovered and privately disclosed the vulnerabilities in July; in late September, researchers at Shellshock Labs also discovered and publicly disclosed the flaws.
The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_18.104.22.168_1.0.1.img, and N300-22.214.171.124_1.0.1.img. The flaw allows an attacker, without knowing the router password, to access the administration interface.
“The only pre-requisite for the attack is that the attacker can reach the web management interface, which is attainable by default in the internal network,” Herzog said. “With enabled remote administration (not by default), the attack just needs to be connected to the Internet to exploit the flaw. An attacker with physical access to the router can subvert it anyway.”