Potentially Millions of Netgear Routers Contain Vulnerability – Update
A security company has found a vulnerability in several Netgear routers. If an attacker has access to the web interface, a vulnerability could allow him to enter without credentials. Millions of devices may be vulnerable.
Security firm Trustwave found the vulnerability in the passwordrecovered.cgi page. That page requires a certain string of numbers that the software generates when the user successfully goes through the password recovery process. However, this token can also be a made-up series of numbers and this page will still show the login details. By default, Netgear routers are set so that the administrator interface cannot be accessed from the web, which means that this vulnerability mainly occurs at the local level. Whoever has made the web interface accessible from the WAN is open to an attack from everyone.
When an attacker has access to the administration interface of the router, he or she could, for example, replace the firmware with a counterfeit version, for example making the router part of a botnet or modifying the DNS server so that users behind the router see malware.
More than fifty different Netgear routers and modems are said to have the vulnerability. Also two Lenovo routers running on Netgear firmware. In some cases the problem has already been fixed by Netgear, but not in all. The company has known about the problem since April of 2016.
The news comes shortly after other vulnerabilities in eleven different Netgear routers became known. Two weeks after the vulnerabilities became known, these were all patched with final updates. The author of this new report describes his contact with Netgear since April 2016 as “frustrating.”
Update, Wednesday, 14.30: Netgear reports being aware of vulnerability CVE-2017-5521), but claims it is not a new or recent development. “We are already working with TrustWave to analyze the vulnerability. Netgear has published a knowledge base article for the affected routers and the available firmware fix.”