Netgear Router Update Removes Hardcoded Crypto Keys

Netgear on Friday released firmware updates for two of its router products lines, patching a hardcoded cryptographic key and an authentication bypass flaw that were reported six months ago.

Netgear has released firmware updates for two of its router products lines, patching vulnerabilities that were reported in January.

Users should update to firmware version 1.0.0.59, which includes fixes for an authentication bypass vulnerability and also addresses a hard-coded cryptographic key embedded in older versions of the firmware.

A vulnerability note published by CERT operating at the Software Engineering Institute at Carnegie Mellon University said Netgear router models D6000 and D3600 running firmware versions 1.0.0.47 and 1.0.0.49 are affected. CERT cautions that other models and firmware versions could also be susceptible to the same issues.

The flaws pose a risk to the privacy and security of data moving through the networking gear.

“A remote unauthenticated attacker may be able to gain administrator access to the device, man-in-the-middle a victim on the network, or decrypt passively captured data,” CERT said in its note.

Netgear warned in a support note that an attacker on the network or remotely if remote management enabled, could exploit CVE-2015-8288, and gain access to a hard-coded RSA private key and a hard-coded x.509 certificate and key. It released the updated firmware April 20.

“An attacker with knowledge of these keys could gain administrator access to the device, implement man-in-the-middle attacks, or decrypt passively captured packets,” CERT said in its note.

The authentication bypass flaw, CVE-2015-8289, can expose password security keys if the password recovery feature is disabled, Netgear said.

“A remote attacker able to access the /cgi-bin/passrec.asp password recovery page may be able to view the administrator password in clear text by opening the source code of above page,” CERT said in its note.

CERT suggests that a workaround that includes restricting network access to the router’s web interface over HTTP.

Researcher Mandar Jadhav of Qualys privately reported the flaws in December Jan. 17. His disclosure came on the heels of a critical authentication bypass vulnerability in Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300-1.1.0.28_1.0.1.img that had been publicly disclosed and exploited before a patch was available.

Attackers had been able to exploit the flaws to redirect DNS queries to their servers. With full access to the admin page and settings, an attacker could man-in-the-middle network traffic, reconfigure DNS settings to redirect traffic to a third-party server, or downgrade SSL communication using a number of available tools such as SSLstrip developed by Moxie Marlinspike.

Less than a week later, Netgear published new firmware that addressed the vulnerability. Router models JNR1010v2, WNR2000v5, JWNR2010v5, WNR614, WNR618, WNR1000v4, WNR2020, and WNR2020v2 were affected, and researchers estimated that 10,000 routers had been taken over.

This article was updated June 14 with clarifications throughout. 

Suggested articles