An impressive number of Netgear routers is affected by two flaws that can lead to password disclosure.
It has been estimated that hundreds of thousand devices, potentially more than one million Netgear routers, could be hacked, by both a local or a remote attacker.
Simon Kenin, a security researcher at Trustwave, discovered the flaw and confirmed the vulnerabilities can be remotely exploited when the remote management option of the Netgear routers is enabled.
While Netgear claims remote management is turned off on routers by default,
Kenin explained that despite Netgear claims remote management is turned off on routers by default, there are “hundreds of thousands, if not over a million” Netgear routers with the feature turned on.
Hacking the Netgear routers by exploiting this password bypass it is quite simple, attackers just need to send a simple request to the web management server running on the device.
In this way the expert is able to determine a number that corresponds to a password recovery token, then he could use it to call the passwordrecovered.cgi script.
Kenin discovered by the password bypass by leveraging two exploits disclosed in 2014 on some Netgear routers.
“After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.” Kenin wrote in a blog post.
“A full description of both of these findings as well as the python script used for testing can be found here. The vulnerabilities have been assigned CVE-2017-5521 and TWSL2017-003.”
Trustwave reported the vulnerability to Netgear in April 2016, but Netgear only in in July provided firmware updates for a fraction of the affected router models.
This week Netgear published detailed instructions on the affected models and the way to download and install firmware updates. According to the security advisory, there are 31 vulnerable models, but only 18 of them have been patched.
The owners of the unpatched devices have to manually enable password recovery and disable remote management on their Netgear routers in order to avoid problems.
“The potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification,” the company writes.
Kenin points out the dangers caused by malware like the Mirai bot that once obtained a login credential for the routers could cause serious problems.
“With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network,” Kenin added.
(Security Affairs – Netgear, routers)