If you own a Netgear router, you have to be wondering if you should ditch it for something else? I say that because hot off the heels of this serious security issue coming to light, though that was kind of fixed a few days later comes this:
The NETGEAR WNR2000 allows an administrator to perform a number of sensitive functions in the web interface through an apparent CGI script named apply.cgi. This script is invoked when changing Internet settings, WLAN settings, restore to factory defaults, reboot the router, etc.
However apply.cgi is not really a script, but a function that is invoked in the HTTP server (uhttpd) when it receives that string in the URL. When reverse engineering uhttpd, it was found that it also allows an unauthenticated user to perform the same sensitive admin functions if apply_noauth.cgi is invoked instead.
Some of the functions, such as rebooting the router, can be exploited straight away by an unauthenticated attacker. Other functions, such as changing Internet, WLAN settings or retrieving the administrative password, require the attacker to send a “timestamp” variable attached to the URL. This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token.
The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge.
By combining this knowledge with an information leakage, it is possible to recover the administrator password. This password is then used to enable telnet functionality in the router and obtain a root shell if the attacker is in the LAN.
Finally, a stack buffer overflow was also discovered, which combined with the apply_noauth.cgi vulnerability and the timestamp identification attack allows an unauthenticated attacker to take full control of the device and execute code remotely in the LAN and in the WAN.
Okay. Let me translate for you. The vulnerabilities described above could allow a remote attacker to execute code and take over the device without authentication. And the attack is possible on the local network and via the Internet if remote administration is turned on, which to be fair it is not by default.
That’s a pretty big #Fail on the part of Netgear. What’s worse is that according to Pedro Ribeiro, the security researcher who discovered this is Netgear’s response:
NETGEAR did not respond to any emails, so THERE IS NO FIX for these vulnerabilities.
It is recommended to replace this router with another make and model that supports OpenWRT firmware. WNR2000 v3 and v4 have OpenWRT images available, but the latest v5 is not supported yet.
Timeline of disclosure:
26.09.2016: Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.
28.10.2016: Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.
26.11.2016: Disclosed vulnerability to CERT through their web portal.
29.11.2016: Received reply from CERT. They indicated that NETGEAR does not cooperate with them, so they recommended getting CVE numbers from MITRE and releasing the vulnerability information.
Email to MITRE requesting CVE numbers, no response.
Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.
20.12.2016: Public disclosure.
Well, that’s an #EpicFail on the part of Netgear to not even respond to him. I bet that they’re working overtime over the holidays to come up with a fix now that this is public and a PR disaster in progress. I am saying that because Netgear pushed out this advisory four days after Ribero released this info to the public. That’s a four day head start for every hacker who wants to exploit this. Another #EpicFail for Netgear.
My advice to you is that given that this is the second major vulnerability in Netgear products that has been found in the last month, you should take Ribero’s advice and stop using Netgear’s routers until they fix this. Or better yet, stop using Netgear’s products altogether. They clearly can’t keep them secure and they don’t want to deal with issues that are brought to them by security researchers in a timely manner. Both are great reasons not to use their products in my mind.
Yet Another Security Flaw Found In Netgear Routers
Posted in Commentary with tags Netgear on January 31, 2017 by itnerdSeriously, what is up with Netgear these days?
After having some serious security flaws pop up last year, comes this latest one found by researcher Simon Kenin of Trustwave. According to this post, he found that by triggering an error message, the router can be tricked into handing over a numerical code that can then be used with the password recovery tool to retrieve the router’s administrator credentials. But what is worse is that Kenin also discovered that in many cases, the numerical code is not even necessary, and that random strings sent directly to the password recovery script would still cause the login information to be displayed. From there, it’s a trivial task to pwn the router. There are 31 different Netgear router models that are affected by this flaw and Netgear advises that you update your firmware right now.
Charming.
You really have to wonder if Netgear takes the security of its products seriously. I get that any vendor can have security issues with their products. But the scale that Netgear seems to have these sorts of issues seems really high to me.
1 Comment »