Another Hijack Hole Found In Netgear Routers

Discussion in 'HardForum Tech News' started by Megalith, Jan 31, 2017.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    13,004
    Joined:
    Aug 20, 2006
    The saga of Netgear’s incompetence continues with this report of a bug that allows hackers to gain admin credentials and access. While news of an exploit is never good, it is a lot worse when it concerns Netgear’s hardware, as the company has demonstrated that it prefers a slower approach when it comes to fixing their mistakes. Luckily, this particular bug has “already” been patched, as the researcher bugged the company for nine months about it. I am almost positive that there is still no official firmware update for their last reported fumble, however. How many of you guys have jumped shipped from consumer routers?

    The flaws, designated CVE-2017-5521 and TWSL2017-003, were discovered by researcher Simon Kenin of Trustwave, who found that by triggering an error message, the router can be tricked into handing over a numerical code that can then be used with the password recovery tool to retrieve the router's administrator credentials. Further research led Kenin to discover that in many cases, the numerical code is not even necessary, and that random strings sent directly to the password recovery script would still cause the login information to be displayed. In short, anyone who can pull up the router administrator screen, be it over the web or local Wi-Fi network, can obtain the admin password and gain complete control over the router itself. "We have found more than ten thousand vulnerable devices that are remotely accessible," said Kenin. "The real number of affected devices is probably in the hundreds of thousands, if not over a million."
     
  2. elavanis

    elavanis n00b

    Messages:
    37
    Joined:
    Feb 1, 2008
    I've been running an Edge Router Lite for 3+ years and before that I had a SonicWall TZ170. I briefly had a 4 port D-Link wireless router that had stability issues that replaced a Linksys BEFSR81 when we got internet that was faster than 10 Mb.

    Getting the Edge Router Lite was probably the best move on my part. It gets free security updates and has every feature I could want. New features are still being added and there are instructions on how to add new functionality like content filtering. The nice thing about it is you don't have to pay extra for each feature like the SonicWall. Web filtering is extra, Vpn is extra etc.
     
  3. DocSavage

    DocSavage 2[H]4U

    Messages:
    2,409
    Joined:
    Dec 18, 2002
    I use my google fiber box as the router and use my consumer Netgear as an internal AP.
     
  4. sboucher

    sboucher Gawd

    Messages:
    550
    Joined:
    Oct 7, 2004
    Ok, that's it.. Time to retire my R7000.

    What should I get guys?
     
  5. Bomber

    Bomber [H]ard|Gawd

    Messages:
    1,124
    Joined:
    Jan 14, 2002
    I have a TP-Link AC3150 router. I was recently given a Netgear Nighthawk AC3200 by my mother in law (she is a tech geek and always has to have the biggest and best...go figure). It's sitting in the box and probably will for a very long time based on these.
     
  6. Nukester

    Nukester [H]ard|Gawd

    Messages:
    1,429
    Joined:
    Mar 21, 2016
    This is NOT good. I love my R7000, it's the only router I've had with the range and really good ability to hold up well under pretty severe wireless saturation from so many devices.
     
  7. Budwise

    Budwise [H]ard|Gawd

    Messages:
    1,817
    Joined:
    Dec 7, 2004
    As long as you don't open the Admin Interface up to the web none of this matters... You can also flash alternative firmware if that makes you feel better.

    I personally built a Sophos Home UTM and just use the R7000 as an AP and it is a great device.
     
    Ocellaris likes this.
  8. striker444

    striker444 Gawd

    Messages:
    520
    Joined:
    Jan 20, 2012
    To all the R7000 folks, upgrade to DD-WRT, I have been using it since I purchased mine in early 2014, none of these security risks affect it. You can even overclock it a little bit with no stability issues.
     
    mullet likes this.
  9. Shikami

    Shikami Gawd

    Messages:
    622
    Joined:
    Apr 5, 2010
  10. mullet

    mullet [H]ard|Gawd

    Messages:
    1,629
    Joined:
    Aug 19, 2004

    Ding ding ding winner!
     
  11. sboucher

    sboucher Gawd

    Messages:
    550
    Joined:
    Oct 7, 2004
    I was running DD-WRT before I flashed back to stock. Issue I had related to QoS, no matter what I tried, it didn't do as good a job as the stock firmware.

    Good to know, thanks.
     
  12. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    8,423
    Joined:
    Apr 9, 2012
    another reason to use a pfsense box.

    and use your routers as AP's.
     
  13. burritoincognito

    burritoincognito Gawd

    Messages:
    760
    Joined:
    Sep 17, 2012
    I flashed my R7000 to from Netgear to DD-WRT when I got it, and went to Tomato last year for the improved feature and couldn't be happier. I've got captive portals for guests to accept my TOS, separate VLANs for guest networks that have bandwidth and other limitations set(I let my neighbor use it), test environment machines that need to be internet capable but disconnected from my home network, one for infected machines I'm working on, etc.


    Love the hardware, hated their software. This just gives me more reason to be happy I bumped my parents' WNDR3700 to DD-WRT when I gave it to them. It's no PFSense, Fortigate, etc...but it does the job well enough I don't feel the need to upgrade to enterprise class yet.
     
  14. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,746
    Joined:
    Oct 29, 2000
    Don't get me wrong, I'm not defending Netgear here. Their security and backdoors have been shameful in latter years, but who exposes their web login screen for their router to their WAN anyway? That HAS to be considered worst practice even if you DO have a secure router.
     
  15. steakman1971

    steakman1971 2[H]4U

    Messages:
    2,433
    Joined:
    Nov 22, 2005
    I switched over to pfsense and am using an Ubiquiti AP. (Was using an R7000). Part of this is placement in my house, but I now get way better wifi coverage with a single access point.
    Pfsense was a little overwhelming in the beginning, but I learned what I needed pretty quickly. I still have a lot to learn - but have Squid, nggroup, etc running. I'm running this on a dual Xeon server with 32GB ram - this is beyond overkill :) I am going to move this to a VM eventually.
     
  16. EJ42

    EJ42 n00b

    Messages:
    45
    Joined:
    Jan 26, 2017
    To paraphrase a horror movie, "The hack is coming from INSIDE YOUR NETWORK!"

    You go to a website that has a image at <img src="http://192.168.1.1/netgearvulnerability.cgi?dobadthings"> (the preceding would actually be replaced with the real exploit URL)

    I can't say whether or not this current exploit can do what it needs to do that way, but the earlier one could. There could be others that are not known with all sorts of other routers. The point is that turning off your WAN facing interface doesn't always protect you.
     
    CSI_PC and Zarathustra[H] like this.
  17. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,746
    Joined:
    Oct 29, 2000
    Very good point. One that gets missed by layman network guys like myself.
     
  18. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,772
    Joined:
    Nov 22, 2008
    Ok, these flaws that require you to be in actual possession of device, or be actually inside network are kind of redundant. If I have to stick a usb device into a notebook to hack it, I might as well just walk out with the thing. Same with this flaw. Considering I already have to have access to the network.... I'm already in like Flynn so it's redundant.
     
  19. Spaceninja

    Spaceninja [H]ard|Gawd

    Messages:
    1,683
    Joined:
    Sep 15, 2004
    I've been using a R7000 for a few years now, it's a fantastic device, probably the best home router I have ever used. I don't think I have ever turned on remote management. In fact I don't think I even log into the router except to do firmware updates and the occasional port forwarding changes. Not sure what anyone would get by accessing my network anyway, there are much easier ways to get mp3's.
     
  20. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,677
    Joined:
    Dec 15, 2003
    Do these exploits only work if you have access to the router? E.g. you didn't turn on access to the admin panel from outside of the network? Because if you can trigger a password recovery from the WAN side of things with remote (over web) admin turned off, that seems extremely unsafe.

    I've never made the admin accessable outside the network.
     
  21. EJ42

    EJ42 n00b

    Messages:
    45
    Joined:
    Jan 26, 2017
    As I said in my post a few lines up, some of these exploits that require you to be inside the network actually use you to perform the exploits. They trick you into running their exploit commands for them by hiding the specially crafted URL/payload inside an img tag or somewhere else. You get your router hacked without ever knowing.
     
  22. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,772
    Joined:
    Nov 22, 2008
    And they are already in and have control of your network. Getting control of the router is like secondary at that point yea?
     
  23. EJ42

    EJ42 n00b

    Messages:
    45
    Joined:
    Jan 26, 2017
    No. They aren't in your network until you visit their specially crafted page. That's the point of these exploits. If you don't have a vulnerable router, they never get into your network. If you have a vulnerable router, just visiting a web page could cause a fake image tag to load, which pokes the vulnerability of your router, THEN takes over your router. They never have to actually be in your network or have control of it. This is a VECTOR for them to TAKE control of your network. That's what is so scary about these last two Netgear vulnerabilities.

    To clarify, the "visit a web page" could be as simple as coming to a forum like this one, as long as it lets you post direct image links, where some evil poster posts a malformed image URL that pwns your router.
     
  24. rat

    rat [H]ardness Supreme

    Messages:
    4,915
    Joined:
    Apr 16, 2008
    Buffalo's been good to me. Surprisingly crap free and headache free firmware on their routers. DD WRT options on models, too.
     
  25. Makaveli@BETA

    Makaveli@BETA 2[H]4U

    Messages:
    2,302
    Joined:
    Mar 24, 2004
    mdburkey likes this.
  26. mdburkey

    mdburkey Limp Gawd

    Messages:
    498
    Joined:
    Jan 19, 2007
    Makaveli@BETA likes this.
  27. mdburkey

    mdburkey Limp Gawd

    Messages:
    498
    Joined:
    Jan 19, 2007
    With the current vulnerability, the worst that could happen is that a malformed web page might be able to cause the admin account credentials to be display on the local machine -- and maybe be able to send them back to a remote server. Which means that an attacker might be able to get the admin password for your router. That said, if WAN facing access is disabled (as it should always be, if you have any security sense), then having your admin password still won't do them much good or compromise your network unless they have some way to access your local network (or unless some other exploit still exists that allows them to gain access from the WAN).

    So, for a business that has a lot of users, this might be an issue, but for the average home user, this current vulnerability is pretty trivial.

    That said, a bigger question may be whether or not it will work or can be used to allow config access when someone is connected to a "Guest" WiFi account on the affected router. If so, then this would be a major vulnerability for a business that allows Guest access.
     
  28. CaptNumbNutz

    CaptNumbNutz Bulls[H]it Master

    Messages:
    19,512
    Joined:
    Apr 11, 2007
    After the last report, I flashed to DD-WRT. It's become dead simple.

    Download the firmware from that site and unzip it (after registering), go into the router's admin and do the upgrade flash and select the file on your hard drive. As a precaution do the 30-30-30 reset after you flash. That's 30 seconds of holding reset button while powered on, 30 seconds holding reset button while powered off, 30 seconds again while powered on.

    FWIW, switching to DD-WRT actually fixed a lot of my bandwidth issues. I was barely getting 100-200mb download when I was paying for 300mb down. I was also barely getting 2mb up when I was paying for 20mb up. After the flash I was immediately getting 280mb down and 19mb up.

    On top of that, I did some research on the new and better QoS options in DD-WRT. The QoS in DDWRT is sooooooo much better. I had issues before when my Fiance was watching Netflix or watching other things on the Roku. I no longer have any issues since my gaming PC is top priority.

    My wifi is just as powerful as before. I had to do so some research into VLAN's but other than that it was fairly easy.
     
    mullet and Nukester like this.
  29. GrayWolf

    GrayWolf n00b

    Messages:
    11
    Joined:
    Jun 29, 2007
    A little quick research would reveal that, yes, Netgear did release updated "stock" firmware that resolved the vulnerability for the devices that were identified as being vulnerable. So where is the actual news here?

    http://kb.netgear.com/000036386/CVE-2016-582384 <-- that is where you can find the official response from Netgear along with links to the appropriate firmware to address it for each of the impacted devices.

    So, folks, help me out here because maybe I'm missing a "new" vulnerability reference? Or is this article (and, subsequently/consequentially, this thread) all about old news?

    PS - Thanks for the notes about Merlin! I hadn't realized that someone had worked on that firmware to make it work with our routers. I'll also toss in a vote for Kong's DD-WRT builds, as well.

    <edit: if this sounds snippy, it's because I reacted badly when I saw the headline and was ready to start researching other devices to replace my rather-reliable R7000.. When I ran through the links and saw that there does not appear to actually BE a "new" vulnerability, I decided to de-lurk at long last and post this.>
     
    Last edited: Feb 1, 2017
  30. SFB

    SFB [H]Lite

    Messages:
    64
    Joined:
    Feb 21, 2011
    http://www.theregister.co.uk/2017/01/31/major_security_hole_in_netgear_routers/

    The news from the article:
     
  31. buhbuhfet

    buhbuhfet Limp Gawd

    Messages:
    451
    Joined:
    Feb 11, 2016
    Megalith, are you sure it's just incompetence?
     
  32. SFB

    SFB [H]Lite

    Messages:
    64
    Joined:
    Feb 21, 2011
    Please note that this does not take you to the "latest" firmware. To find the latest, your best bet is to use the netgear support page and search for your router: http://www.netgear.com/support/
     
    GrayWolf likes this.
  33. GrayWolf

    GrayWolf n00b

    Messages:
    11
    Joined:
    Jun 29, 2007
    Excellent point - I was merely trying to point out that the "issue" noted in Megalith's so-called "news article" was addressed and fixed up already via those then-current firmware versions. Heck, read the item that I quoted from Megalith's own post and understand that is what I was providing a response to. I wasn't trying to suggest that the firmware links in the article that I listed are the 'latest and greatest*".

    Moreover, Megalith's source for this "news" is just click-bait. Period. There is no news here, this is not a new vulnerability and the fact that Netgear was slow to respond was roundly called out across the Tech Reporting industry when this originally blew up.

    *FWIW: The R7000 has not had any other firmware released for it since that security article was published.
     
    Last edited: Feb 1, 2017
  34. Darunion

    Darunion 2[H]4U

    Messages:
    3,731
    Joined:
    Oct 6, 2010
    Article is 2 months old and netgear reporting that all vulnerable routers were patched early last month.
     
    GrayWolf likes this.
  35. SFB

    SFB [H]Lite

    Messages:
    64
    Joined:
    Feb 21, 2011
    GrayWolf you are making a mountain out of a molehill. I was not correcting but rather informing others that your link may not lead to the latest firmware. For example the R6400 from your link leads to Firmware-Version-1-0-1-18 while the latest is Firmware-Version-1-0-1-20.

    http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
    According to the netgear post above. The following routers and gateways are still vulnerable to a security issue that can expose web GUI login passwords while the password recovery feature is disabled.

    Router Model and Firmware Version:

    • R6200 v1.0.1.56_1.0.43
    • R6300 v1.0.2.78_1.0.58
    • VEGN2610 v1.0.0.14_1.0.12
    • AC1450 v1.0.0.34_10.0.16
    • WNR1000v3 v1.0.2.68_60.0.93
    • WNDR3700v3 v1.0.0.38_1.0.31
    • WNDR4000 v1.0.2.4_9.1.86
    • WNDR4500 v1.0.1.40_1.0.68
    DSL Gateway Model and Firmware Version:

    • D6300 v1.0.0.96
    • D6300B v1.0.0.40
    • DGN2200Bv4 v1.0.0.68
    • DGN2200v4 v1.0.0.76