The IT Nerd

If you own a Netgear router, you have to be wondering if you should ditch it for something else? I say that because hot off the heels of this serious security issue coming to light, though that was kind of fixed a few days later comes this:

The NETGEAR WNR2000 allows an administrator to perform a number of sensitive functions in the web interface through an apparent CGI script named apply.cgi. This script is invoked when changing Internet settings, WLAN settings, restore to factory defaults, reboot the router, etc.

However apply.cgi is not really a script, but a function that is invoked in the HTTP server (uhttpd) when it receives that string in the URL. When reverse engineering uhttpd, it was found that it also allows an unauthenticated user to perform the same sensitive admin functions if apply_noauth.cgi is invoked instead.

Some of the functions, such as rebooting the router, can be exploited straight away by an unauthenticated attacker. Other functions, such as changing Internet, WLAN settings or retrieving the administrative password, require the attacker to send a “timestamp” variable attached to the URL. This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token.

The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge.

By combining this knowledge with an information leakage, it is possible to recover the administrator password. This password is then used to enable telnet functionality in the router and obtain a root shell if the attacker is in the LAN.

Finally, a stack buffer overflow was also discovered, which combined with the apply_noauth.cgi vulnerability and the timestamp identification attack allows an unauthenticated attacker to take full control of the device and execute code remotely in the LAN and in the WAN.

Okay. Let me translate for you. The vulnerabilities described above could allow a remote attacker to execute code and take over the device without authentication. And the attack is possible on the local network and via the Internet if remote administration is turned on, which to be fair it is not by default.

That’s a pretty big #Fail on the part of Netgear. What’s worse is that according to Pedro Ribeiro, the security researcher who discovered this is Netgear’s response:

NETGEAR did not respond to any emails, so THERE IS NO FIX for these vulnerabilities.

It is recommended to replace this router with another make and model that supports OpenWRT firmware. WNR2000 v3 and v4 have OpenWRT images available, but the latest v5 is not supported yet.
Timeline of disclosure:

26.09.2016: Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.

28.10.2016: Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.

26.11.2016: Disclosed vulnerability to CERT through their web portal.

29.11.2016: Received reply from CERT. They indicated that NETGEAR does not cooperate with them, so they recommended getting CVE numbers from MITRE and releasing the vulnerability information.

            Email to MITRE requesting CVE numbers, no response.

            Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.

20.12.2016: Public disclosure.

Well, that’s an #EpicFail on the part of Netgear to not even respond to him. I bet that they’re working overtime over the holidays to come up with a fix now that this is public and a PR disaster in progress. I am saying that because Netgear pushed out this advisory four days after Ribero released this info to the public. That’s a four day head start for every hacker who wants to exploit this. Another #EpicFail for Netgear.

My advice to you is that given that this is the second major vulnerability in Netgear products that has been found in the last month, you should take Ribero’s advice and stop using Netgear’s routers until they fix this. Or better yet, stop using Netgear’s products altogether. They clearly can’t keep them secure and they don’t want to deal with issues that are brought to them by security researchers in a timely manner. Both are great reasons not to use their products in my mind.

This entry was posted on December 27, 2016 at 2:28 pm and is filed under Commentary with tags Netgear. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.