Trustwave researchers have identified flaws in 31 Netgear router models, which may lead to hackers gaining full control of devices. Using these security flaws, an attacker can fully bypass the password on Netgear routers, modify the configuration, create an army of botnets by infecting multiple routers and develop entirely new firmware.
The new vulnerabilities were identified by Simon Kenin, a security researcher at Trustwave while he was trying to access the web interface of the Netgear VEGN2610 router and forgot the password. He tried to fuzz the server using various parameters manually and finally identified a file bearing the name “unauth.cgi.”
In a blog post, Kenin revealed details of his finding: “I started looking up what that “unauth.Cgi” page could be, and I found two publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need. Those two guys figured out that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials.”
CVE-2017-5521: Bypassing Authentication on NETGEAR Routers.
Then Kenin tested the same technique with some other models of Netgear routers and received similar results. Finally, he was convinced that even with erroneous coding he could access the credentials quickly. Kenin further revealed that the bug was “totally new” and when both bugs were tested on different router models from Netgear, he identified that the second bug was applicable on a wider range of router models. He noted that the flaws affected some models; Trustwave researchers managed to point out tens of thousands of exploitable devices, which could be accessed remotely. The original number of affected devices could very well reach a million.
The security advisory from Trustwave is available here. The flaws are a treasure trove for remote attackers as Kenin explained that “The vulnerability can be used by a remote attacker if remote administration is set to be Internet-facing. By default, this is not turned on. However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public wifi spaces like cafés and libraries using vulnerable equipment.”
It must be noted that since the arrival of Mirai malware, millions of Internet of Things (IoT) devices including CCTV cameras and routers have become vulnerable to large-scale DDoS attacks. To avoid getting itself in an embarrassing situation, Netgear has already launched its bug bounty program in which hackers and security researchers are urged to report critical flaws in its products.