Netgear routers’ security broken by bedroom fuzzing


Fuzzing is the automated injecting of malformed data in a hope of causing something to break, and break badly enough to reveal a security hole. Netgear routers got fuzzed, and they broke very badly indeed.

Now fuzzing isn’t the kind of thing that most ordinary people would do in bed, but Simon Kenin is no ordinary person: he’s a security researcher.

When faced with an ‘Internet Down’ scenario having retired for the night, Simon couldn’t be arsed to get up and check the router and instead thought he’d try and hack it from the comfort of his bed.

That’s where the fuzzing started, and where the problems began for Netgear.

To cut a long story short (visit Trustwave SpiderLabs for the uncut tale) by manually fuzzing the web server, Simon was able to bypass authentication of his Netgear VEGN2610 modem/router.

Simon thought he’d try and hack it from the comfort of his bed

Fuzzing the server with a ‘…’ parameter was all it took to solicit an ‘unauth.cgi?id=1211868232’ response. With his Internet connection back up and running, Simon went in for the kill and did some digging.

It didn’t take much of it to uncover a couple of disclosed exploits, both a couple of years old, relating to unauthenticated password disclosure on different Netgear router models.

Using that unauth.cgi id number together with passwordrecovered.cgi could prompt the admin credentials needed. Worse yet for Netgear, Simon couldn’t code very well.

So when he knocked up a somewhat crappily written Python script to help others test his theory that a wide number of Netgear routers might be vulnerable, things didn’t quite go according to plan. An error in the script passed random rubbish to passwordrecovered.cgi instead of the proper id.

This was bad news for Netgear because the admin credentials were still returned anyway. What Simon had uncovered, more by error than trial, was that the first call to passwordrecovered.cgi was enough to spit out those credentials. Critical vulnerability CVE-2017-5521 was born.

More bad news for Netgear though: this vulnerability that impacted at least 18 router models was responsibly disclosed to Netgear back in April 2016.

Get into your admin console and apply any firmware updates

Although a small subset of routers were patched in June, but that was it. Despite promises to fix things, additional routers were added to the vulnerable list and it ended up at 31 models.

After many months of nagging, and just before Simon was going to go public, Netgear committed to pushing out firmware to fix the bug.

Netgear has also joined Bugcrowd to help make the disclosure process better, including bug bounties and patching oversight.

Trustwave SpiderLabs, where Simon works, reckons the vulnerability could impact up to a million users of Netgear home routers.

Our advice, regardless of whether your router is listed as vulnerable or not, is to get into your admin console and apply any firmware updates.

We also suggest, while you are there, to ensure that remote administration is not enabled as this will help mitigate the risk (although anyone with physical access to your network could still exploit a vulnerable router.)

Regulators should impose a minimum standard for security updates

Mike Ahmadi, Global Director of Critical Systems Security at Synopsys, adds, “the only way a consumer can determine the level of risk associated with a device is to run their own tests and determine what vulnerabilities are present, and use this information in procurement to force a vendor to fix the issues, or move on to another vendor that is doing a better job addressing such issues, or require a third party security audit, such as the UL CAP program.”

Art Swift, President at the Prpl Foundation says, “good security is at least half about good management of the product, yet the consumer technology industry prioritises the user experience over everything else. Regulators must understand this and so should impose a bare minimum standard for security updates – forcing manufacturers to administer these, so devices are not left unpatched for too long. If there is this shift of responsibility from the end user to the vendor, it demands a secure infrastructure extended into the device itself.”

Brian Laing, VP at Lastline, has the last word, “new vulnerabilities are found all the time so consumers need to take as many preventative measures as possible, such as disabling remote management. That will mitigate the impact of someone trying to attack an unknown vulnerability.”