Vulnerabilities in some Netgear router and NAS products open door to remote attacks
- — 24 October, 2013 08:02
Netgear's N600 Wireless Dual-Band Gigabit Router
Vulnerabilities in the management interfaces of some wireless router and network-attached storage products from Netgear expose the devices to remote attacks that could result in their complete compromise, researchers warn.
The latest hardware revision of Netgear's N600 Wireless Dual-Band Gigabit Router, known as WNDR3700v4, has several vulnerabilities that allow attackers to bypass authentication on the router's Web-based interface, according to Zachary Cutlip, a researcher with security consultancy firm Tactical Network Solutions.
"If you browse to http://<router address>/BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface," Cutlip said Tuesday in a blog post. "But not only that, authentication remains disabled across reboots. And, of course, if remote administration is turned on, this works from the frickin' Internet."
That opens the door to many attack possibilities. For example, an attacker could configure the router to use a malicious DNS (Domain Name System) server, which would allow the attacker to redirect users to malicious websites or set up port forwarding rules to expose internal network services to the Internet.
"Additionally, any command injection or buffer overflow vulnerabilities in the router's Web interface become fair game once authentication is disabled," Cutlip said.
In fact, the researcher already found a vulnerability which, when exploited together with the authentication bypass one, allows an attacker to obtain a root prompt on the router.
"Once the attacker has root on the router, they can easily sniff and manipulate all the users' Internet-bound traffic," Cutlip said Thursday.
The BRS_02_genieHelp.html vulnerability is actually a combination of two separate issues. One is that any interface pages whose names start with "BRS_" can be accessed without authentication.
This is a vulnerability in itself and can lead to sensitive information disclosure. For example, a page called "BRS_success.html" lists the access passwords for the 2.4GHz and 5GHz Wi-Fi networks configured on the router.
The second issue is that when accessed, the BRS_02_genieHelp.html page switches a router configuration setting called "hijack_process" to 1 and this disables authentication for the entire Web interface. The value for the "hijack_process" setting when the router is configured properly is 3.
The same vulnerability was found by researchers from Independent Security Evaluators (ISE) in April in the firmware of the Netgear CENTRIA (WNDR4700) router model. However, the vulnerable URL ISE identified at the time was http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html.
Netgear patched the vulnerability in the WNDR4700 184.108.40.206 firmware version that was released in July. However, it seems the company failed to check if other router models are also vulnerable.
The latest firmware version for WNDR3700v4 is 220.127.116.11 and Cutlip performed his tests on the older 18.104.22.168 version. However, static code analysis of the 22.214.171.124 firmware indicates that it is also vulnerable, the researcher said Thursday.
The older WNDR3700v3 hardware revision does not appear to be affected, Cutlip said, adding that he hasn't analyzed the firmware for the much older v1 and v2 revisions yet.
The researcher also discovered a separate authentication bypass vulnerability in the WNDR3700v4 firmware that's not related to the BRS_* issue. "Appending the string 'unauth.cgi' to HTTP requests will bypass authentication for many, if not most, pages," he said.
Cutlip didn't test if WNDR4700 is also vulnerable to this second flaw.
Netgear did not immediately respond to a request for comment.
A search for WNDR3700v4 routers that have their Web interface exposed to the Internet returned over 600 devices on the SHODAN search engine.
"Do not turn on remote administration ever, for any device," Cutlip said. "That's the number one attack surface and it's the one we usually find bugs in."
To avoid local attacks administrators should secure their wireless networks with strong WPA2 passphrases and make sure strangers are not allowed on their local networks, the researcher said.
These vulnerabilities are unlikely to go away soon, even if patches do get released, because many users never update their routers and other embedded systems. That's because they don't know how or because they're not aware of the risks, and a lack of clear communication about security issues from many vendors contributes to this problem.
Back in April, Craig Young, a security researcher at security firm Tripwire, found critical vulnerabilities in the Web management interface of Netgear's ReadyNAS network-attached storage products, including a vulnerability that could be exploited through a single unauthenticated HTTP request to gain complete root access to ReadyNAS devices.
He privately reported the issues to Netgear and the company released RAIDiator firmware versions 4.2.24 and 4.1.12 in July to address them. However, the majority of ReadyNAS devices exposed to the Internet are still vulnerable, according to Young.
"Shodan seems to indicate that there are more than 10,000 public IP addresses that match my ReadyNAS fingerprint," Young said Monday in a blog post. "Based on a sample size of 2,000 hosts, approximately 73% of the Internet exposed ReadyNAS are running RAIDiator firmware prior to 4.2.24."
"The impact of this ReadyNAS bug is enormous because it doesn't require authentication and attackers gain easy access to incoming user credentials. Successful attackers also gain access to all data stored on the NAS and can use it as a platform for attacks against other network systems," the researcher said in an emailed statement.
Young believes that Netgear is partially responsible for users not being aware of the risks associated with the vulnerabilities he found.
"The only mention of security concerns were in the firmware release notes," he said. "There's just one line: 'Updated Frontview to fix security issues.' Without knowledge of the specific vulnerabilities, customers feel no sense of urgency about installing the update."