Another Hijack Hole Found In Netgear Routers

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
The saga of Netgear’s incompetence continues with this report of a bug that allows hackers to gain admin credentials and access. While news of an exploit is never good, it is a lot worse when it concerns Netgear’s hardware, as the company has demonstrated that it prefers a slower approach when it comes to fixing their mistakes. Luckily, this particular bug has “already” been patched, as the researcher bugged the company for nine months about it. I am almost positive that there is still no official firmware update for their last reported fumble, however. How many of you guys have jumped shipped from consumer routers?

The flaws, designated CVE-2017-5521 and TWSL2017-003, were discovered by researcher Simon Kenin of Trustwave, who found that by triggering an error message, the router can be tricked into handing over a numerical code that can then be used with the password recovery tool to retrieve the router's administrator credentials. Further research led Kenin to discover that in many cases, the numerical code is not even necessary, and that random strings sent directly to the password recovery script would still cause the login information to be displayed. In short, anyone who can pull up the router administrator screen, be it over the web or local Wi-Fi network, can obtain the admin password and gain complete control over the router itself. "We have found more than ten thousand vulnerable devices that are remotely accessible," said Kenin. "The real number of affected devices is probably in the hundreds of thousands, if not over a million."
 
I've been running an Edge Router Lite for 3+ years and before that I had a SonicWall TZ170. I briefly had a 4 port D-Link wireless router that had stability issues that replaced a Linksys BEFSR81 when we got internet that was faster than 10 Mb.

Getting the Edge Router Lite was probably the best move on my part. It gets free security updates and has every feature I could want. New features are still being added and there are instructions on how to add new functionality like content filtering. The nice thing about it is you don't have to pay extra for each feature like the SonicWall. Web filtering is extra, Vpn is extra etc.
 
I use my google fiber box as the router and use my consumer Netgear as an internal AP.
 
I have a TP-Link AC3150 router. I was recently given a Netgear Nighthawk AC3200 by my mother in law (she is a tech geek and always has to have the biggest and best...go figure). It's sitting in the box and probably will for a very long time based on these.
 
This is NOT good. I love my R7000, it's the only router I've had with the range and really good ability to hold up well under pretty severe wireless saturation from so many devices.
 
As long as you don't open the Admin Interface up to the web none of this matters... You can also flash alternative firmware if that makes you feel better.

I personally built a Sophos Home UTM and just use the R7000 as an AP and it is a great device.
 
To all the R7000 folks, upgrade to DD-WRT, I have been using it since I purchased mine in early 2014, none of these security risks affect it. You can even overclock it a little bit with no stability issues.
 
striker444 said:
To all the R7000 folks, upgrade to DD-WRT, I have been using it since I purchased mine in early 2014, none of these security risks affect it. You can even overclock it a little bit with no stability issues.
Click to expand...


Ding ding ding winner!
 
striker444 said:
To all the R7000 folks, upgrade to DD-WRT, I have been using it since I purchased mine in early 2014, none of these security risks affect it. You can even overclock it a little bit with no stability issues.
Click to expand...

I was running DD-WRT before I flashed back to stock. Issue I had related to QoS, no matter what I tried, it didn't do as good a job as the stock firmware.

Budwise said:
As long as you don't open the Admin Interface up to the web none of this matters...
Click to expand...

Good to know, thanks.
 
I flashed my R7000 to from Netgear to DD-WRT when I got it, and went to Tomato last year for the improved feature and couldn't be happier. I've got captive portals for guests to accept my TOS, separate VLANs for guest networks that have bandwidth and other limitations set(I let my neighbor use it), test environment machines that need to be internet capable but disconnected from my home network, one for infected machines I'm working on, etc.


Love the hardware, hated their software. This just gives me more reason to be happy I bumped my parents' WNDR3700 to DD-WRT when I gave it to them. It's no PFSense, Fortigate, etc...but it does the job well enough I don't feel the need to upgrade to enterprise class yet.
 
Don't get me wrong, I'm not defending Netgear here. Their security and backdoors have been shameful in latter years, but who exposes their web login screen for their router to their WAN anyway? That HAS to be considered worst practice even if you DO have a secure router.
 
I switched over to pfsense and am using an Ubiquiti AP. (Was using an R7000). Part of this is placement in my house, but I now get way better wifi coverage with a single access point.
Pfsense was a little overwhelming in the beginning, but I learned what I needed pretty quickly. I still have a lot to learn - but have Squid, nggroup, etc running. I'm running this on a dual Xeon server with 32GB ram - this is beyond overkill :) I am going to move this to a VM eventually.
 
Zarathustra[H] said:
Don't get me wrong, I'm not defending Netgear here. Their security and backdoors have been shameful in latter years, but who exposes their web login screen for their router to their WAN anyway? That HAS to be considered worst practice even if you DO have a secure router.
Click to expand...
To paraphrase a horror movie, "The hack is coming from INSIDE YOUR NETWORK!"

You go to a website that has a image at <img src="http://192.168.1.1/netgearvulnerability.cgi?dobadthings"> (the preceding would actually be replaced with the real exploit URL)

I can't say whether or not this current exploit can do what it needs to do that way, but the earlier one could. There could be others that are not known with all sorts of other routers. The point is that turning off your WAN facing interface doesn't always protect you.
 
EJ42 said:
To paraphrase a horror movie, "The hack is coming from INSIDE YOUR NETWORK!"

You go to a website that has a image at <img src="http://192.168.1.1/netgearvulnerability.cgi?dobadthings"> (the preceding would actually be replaced with the real exploit URL)

I can't say whether or not this current exploit can do what it needs to do that way, but the earlier one could. There could be others that are not known with all sorts of other routers. The point is that turning off your WAN facing interface doesn't always protect you.
Click to expand...

Very good point. One that gets missed by layman network guys like myself.
 
Ok, these flaws that require you to be in actual possession of device, or be actually inside network are kind of redundant. If I have to stick a usb device into a notebook to hack it, I might as well just walk out with the thing. Same with this flaw. Considering I already have to have access to the network.... I'm already in like Flynn so it's redundant.
 
I've been using a R7000 for a few years now, it's a fantastic device, probably the best home router I have ever used. I don't think I have ever turned on remote management. In fact I don't think I even log into the router except to do firmware updates and the occasional port forwarding changes. Not sure what anyone would get by accessing my network anyway, there are much easier ways to get mp3's.
 
Do these exploits only work if you have access to the router? E.g. you didn't turn on access to the admin panel from outside of the network? Because if you can trigger a password recovery from the WAN side of things with remote (over web) admin turned off, that seems extremely unsafe.

I've never made the admin accessable outside the network.
 
thesmokingman said:
Ok, these flaws that require you to be in actual possession of device, or be actually inside network are kind of redundant. If I have to stick a usb device into a notebook to hack it, I might as well just walk out with the thing. Same with this flaw. Considering I already have to have access to the network.... I'm already in like Flynn so it's redundant.
Click to expand...
As I said in my post a few lines up, some of these exploits that require you to be inside the network actually use you to perform the exploits. They trick you into running their exploit commands for them by hiding the specially crafted URL/payload inside an img tag or somewhere else. You get your router hacked without ever knowing.
 
EJ42 said:
As I said in my post a few lines up, some of these exploits that require you to be inside the network actually use you to perform the exploits. They trick you into running their exploit commands for them by hiding the specially crafted URL/payload inside an img tag or somewhere else. You get your router hacked without ever knowing.
Click to expand...

And they are already in and have control of your network. Getting control of the router is like secondary at that point yea?
 
thesmokingman said:
And they are already in and have control of your network. Getting control of the router is like secondary at that point yea?
Click to expand...
No. They aren't in your network until you visit their specially crafted page. That's the point of these exploits. If you don't have a vulnerable router, they never get into your network. If you have a vulnerable router, just visiting a web page could cause a fake image tag to load, which pokes the vulnerability of your router, THEN takes over your router. They never have to actually be in your network or have control of it. This is a VECTOR for them to TAKE control of your network. That's what is so scary about these last two Netgear vulnerabilities.

To clarify, the "visit a web page" could be as simple as coming to a forum like this one, as long as it lets you post direct image links, where some evil poster posts a malformed image URL that pwns your router.
 
sboucher said:
Ok, that's it.. Time to retire my R7000.

What should I get guys?
Click to expand...

Buffalo's been good to me. Surprisingly crap free and headache free firmware on their routers. DD WRT options on models, too.
 
EJ42 said:
To paraphrase a horror movie, "The hack is coming from INSIDE YOUR NETWORK!"

You go to a website that has a image at <img src="http://192.168.1.1/netgearvulnerability.cgi?dobadthings"> (the preceding would actually be replaced with the real exploit URL)

I can't say whether or not this current exploit can do what it needs to do that way, but the earlier one could. There could be others that are not known with all sorts of other routers. The point is that turning off your WAN facing interface doesn't always protect you.
Click to expand...

With the current vulnerability, the worst that could happen is that a malformed web page might be able to cause the admin account credentials to be display on the local machine -- and maybe be able to send them back to a remote server. Which means that an attacker might be able to get the admin password for your router. That said, if WAN facing access is disabled (as it should always be, if you have any security sense), then having your admin password still won't do them much good or compromise your network unless they have some way to access your local network (or unless some other exploit still exists that allows them to gain access from the WAN).

So, for a business that has a lot of users, this might be an issue, but for the average home user, this current vulnerability is pretty trivial.

That said, a bigger question may be whether or not it will work or can be used to allow config access when someone is connected to a "Guest" WiFi account on the affected router. If so, then this would be a major vulnerability for a business that allows Guest access.
 
sboucher said:
Ok, that's it.. Time to retire my R7000.

What should I get guys?
Click to expand...

Nukester said:
This is NOT good. I love my R7000, it's the only router I've had with the range and really good ability to hold up well under pretty severe wireless saturation from so many devices.
Click to expand...

After the last report, I flashed to DD-WRT. It's become dead simple.

Download the firmware from that site and unzip it (after registering), go into the router's admin and do the upgrade flash and select the file on your hard drive. As a precaution do the 30-30-30 reset after you flash. That's 30 seconds of holding reset button while powered on, 30 seconds holding reset button while powered off, 30 seconds again while powered on.

FWIW, switching to DD-WRT actually fixed a lot of my bandwidth issues. I was barely getting 100-200mb download when I was paying for 300mb down. I was also barely getting 2mb up when I was paying for 20mb up. After the flash I was immediately getting 280mb down and 19mb up.

On top of that, I did some research on the new and better QoS options in DD-WRT. The QoS in DDWRT is sooooooo much better. I had issues before when my Fiance was watching Netflix or watching other things on the Roku. I no longer have any issues since my gaming PC is top priority.

My wifi is just as powerful as before. I had to do so some research into VLAN's but other than that it was fairly easy.
 
Megalith said:
I am almost positive that there is still no official firmware update for their last reported fumble, however.
Click to expand...

A little quick research would reveal that, yes, Netgear did release updated "stock" firmware that resolved the vulnerability for the devices that were identified as being vulnerable. So where is the actual news here?

http://kb.netgear.com/000036386/CVE-2016-582384 <-- that is where you can find the official response from Netgear along with links to the appropriate firmware to address it for each of the impacted devices.

So, folks, help me out here because maybe I'm missing a "new" vulnerability reference? Or is this article (and, subsequently/consequentially, this thread) all about old news?

PS - Thanks for the notes about Merlin! I hadn't realized that someone had worked on that firmware to make it work with our routers. I'll also toss in a vote for Kong's DD-WRT builds, as well.

<edit: if this sounds snippy, it's because I reacted badly when I saw the headline and was ready to start researching other devices to replace my rather-reliable R7000.. When I ran through the links and saw that there does not appear to actually BE a "new" vulnerability, I decided to de-lurk at long last and post this.>
 
Last edited:
http://www.theregister.co.uk/2017/01/31/major_security_hole_in_netgear_routers/
http://www.theregister.co.uk/2017/01/31/major_security_hole_in_netgear_routers/
The news from the article:
Netgear has released a fix for the update, though Kenin says that getting the network hardware giant to pay attention to the report was a nine-month ordeal that culminated in Netgear's commitment to overhaul its handling of bug reports and work more closely with the research community.
Click to expand...

Mike Ahmadi, global director of critical systems security with Synopsys, says the cause of the problem is not unique to Netgear, but rather something every network hardware builder has to deal with.

"Vendors typically build such devices for the stated functionality, which is to route traffic and block unwanted traffic, when used as intended," Amadi said.

"What many vendors fail to do, however, is adequately assess the inherent security of the devices they sell, thereby flooding the market with vulnerable devices. Some vendors have taken it upon themselves to address the inherent vulnerabilities, but the end user is often left guessing which devices are adequately tested, since there is currently no regulatory requirement to test to a given level of rigor, and any attempt to force such regulations are met with extreme resistance."
Click to expand...
 
SFB said:
Please note that this does not take you to the "latest" firmware. To find the latest, your best bet is to use the netgear support page and search for your router: http://www.netgear.com/support/
Click to expand...
Excellent point - I was merely trying to point out that the "issue" noted in Megalith's so-called "news article" was addressed and fixed up already via those then-current firmware versions. Heck, read the item that I quoted from Megalith's own post and understand that is what I was providing a response to. I wasn't trying to suggest that the firmware links in the article that I listed are the 'latest and greatest*".

Moreover, Megalith's source for this "news" is just click-bait. Period. There is no news here, this is not a new vulnerability and the fact that Netgear was slow to respond was roundly called out across the Tech Reporting industry when this originally blew up.

*FWIW: The R7000 has not had any other firmware released for it since that security article was published.
 
Last edited:
Article is 2 months old and netgear reporting that all vulnerable routers were patched early last month.
 
GrayWolf you are making a mountain out of a molehill. I was not correcting but rather informing others that your link may not lead to the latest firmware. For example the R6400 from your link leads to Firmware-Version-1-0-1-18 while the latest is Firmware-Version-1-0-1-20.

http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
According to the netgear post above. The following routers and gateways are still vulnerable to a security issue that can expose web GUI login passwords while the password recovery feature is disabled.

Router Model and Firmware Version:

  • R6200 v1.0.1.56_1.0.43
  • R6300 v1.0.2.78_1.0.58
  • VEGN2610 v1.0.0.14_1.0.12
  • AC1450 v1.0.0.34_10.0.16
  • WNR1000v3 v1.0.2.68_60.0.93
  • WNDR3700v3 v1.0.0.38_1.0.31
  • WNDR4000 v1.0.2.4_9.1.86
  • WNDR4500 v1.0.1.40_1.0.68
DSL Gateway Model and Firmware Version:

  • D6300 v1.0.0.96
  • D6300B v1.0.0.40
  • DGN2200Bv4 v1.0.0.68
  • DGN2200v4 v1.0.0.76
 
You must log in or register to reply here.
Back
Top