Earlier this month, a number of new vulnerabilities were found in 31 models of Netgear routers that could allow an attacker to discover or completely bypass any password on the device - giving them complete control of the router to change its configuration, or even upload new firmware to turn infected routers into botnets. This discovery comes hot on the heels of the flaws of some Netgear devices discovered in December 2016, which were vulnerable to 'command injection' type attacks.
In the blog post by a researcher at Trustwave, Simon Kenin explains: "This is a totally new bug that I haven't seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models. We have found more than ten thousand vulnerable devices that are remotely accessible. The real number of affected devices is probably in the hundreds of thousands, if not over a million."
Anyone with physical access to a network with a vulnerable router can exploit it locally. This would include businesses offering public or 'Client only' Wi-Fi access who are using the vulnerable equipment intended mainly for the small office or home office. The vulnerability could also be used by a remote attacker if remote administration is set to be internet facing by someone who may have set the device up who was unaware of the repercussions of enabling this feature.
"As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password," Kenin said. He then added that it is possible some of the vulnerable routers could be further infected and ultimately used as bots, and everyone should ensure they have a two-way firewall installed on any computer on their network - so as to block potential malicious activity from a hacked router.
It is becomingly increasingly obvious that small office/home office and other consumer-grade routers do not typically go through stringent security testing before they are put onto the market, allowing for vulnerabilities such as authentication bypasses and in extreme cases, remote code execution, being discovered by researchers long after they are widely deployed across the globe. Once the vulnerabilities are identified and exploits become public, the affected routers are at major risk of compromise until the vendor has released a patch. Unfortunately though, as these consumer-grade devices are considered 'low-cost', the vendor's patch propagation cycle for the embedded software is incredibly slow, and almost always relies on the user applying the patch to fix the vulnerability once it has finally been released.
Unfortunately this isn't the first time these low-end devices have had major security flaws, and this recent discovery has similarities to the 'Misfortune Cookie' flaw that was identified in late 2014 affecting over 12 million consumer-grade routers from vendors including D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL.
If you feel that your business network may be at risk from the use of these types of devices, the Altitude Innovations Team can perform a thorough assessment of your environment and ensure that you are using the right tools to protect your business.
Written by James Mills