Trustwave Exposes Authentication Bypass Flaw In Netgear Routers

Trustwave revealed two security vulnerabilities that can be exploited to reveal the password used to secure Netgear routers. This password could be used to gain total control over the router, which could in turn be used to compromise other devices on the network or to attack online infrastructure.

The security flaw was discovered in April 2016. Trustwave said it contacted Netgear about the vulnerabilities several times over the course of nine months without response. Meanwhile, the list of affected models rose from 18 to 31, and the company discovered that an LG router using Netgear firmware was also vulnerable to attack. Compromising these devices would be trivial: The researcher who found the flaw, Simon Kenin, said in a blog post that he's "not a great programmer" but that even he could exploit these vulnerabilities in several different Netgear products with his flawed code.

The good news was that Kenin's exploit usually required physical access to a router, which would make it hard for hackers to take advantage of the problem on a large scale. The bad news was that people could enable remote access to their routers, which meant the vulnerabilities could be exploited from anywhere in the world, so it could still make Netgear routers a prime target. Kenin said Trustwave has found more than 10,000 remotely accessible routers vulnerable to this attack--and that "the real number of affected devices is probably in the hundreds of thousands, if not over a million."

Netgear responded to Trustwave just days before the vulnerabilities were revealed to the public. It has released firmware updates for several vulnerable routers, said it's working on patches for other models, and informed users of a workaround that would prevent their devices from being taken over. But until these problems are fixed--people might not update their router's firmware or know about the workaround--Kenin said vulnerable routers could be "infected and ultimately used as bots" or easily used to "further infect machines on the network." That's bad news for both Netgear and its customers.

This is just the latest problem found in the company's routers. Critical security vulnerabilities that could allow Netgear routers to be taken over by hackers were revealed in December 2016. The company responded by quickly releasing firmware updates and introducing a bug bounty program. The program was something of a mea culpa: Netgear was informed of these vulnerabilities in August 2016, but the disclosure slipped through the cracks in its system, much like the repeated warnings from Trustwave appeared to. Kenin said this bug bounty program helped restore his trust in Netgear:

Luckily NETGEAR did eventually get back to us right before we were set to disclose these vulnerabilities publicly. We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose to NETGEAR only to be met with frustration. [...] Two changes helped sway our opinion. The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline. The second change made us more confident that NETGEAR was not just serious about patching these vulnerabilities, but serious about changing how they handle third-party disclosure in general. That change was their commitment to Bugcrowd (https://bugcrowd.com/netgear), a popular third-party vendor that helps to vet research, provides oversight for the patching process and provides bug bounty rewards to help to motivate third-party researchers. We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR, but, in the end, will result in a more secure line of products and services.

Netgear router owners can see if their devices bear these security flaws by checking the lists of affected devices published by Trustwave and Netgear.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
No comments yet
Comment from the forums
    Your comment