Reply

Netgear routers allowing hackers to pass administrator authentication

mbob4568
Guide

Netgear routers allowing hackers to pass administrator authentication

This looks serious..When will we expect a new firmware from Netgear?

Confirmed vulnerable routers:




•NetGear WNDR3700v4 - V1.0.0.4SH


• NetGear WNDR3700v4 - V1.0.1.52


• NetGear WNR2200 - V1.0.1.88


• NetGear WNR2500 - V1.0.0.24


• NetGear WNDR3700v2 - V1.0.1.14


• NetGear WNDR3700v1 - V1.0.16.98


• NetGear WNDR3700v1 - V1.0.7.9


• NetGear WNDR4300 - V1.0.1.60






Routers believed to be vulnerable but not yet tested:




•WNDR3800


• WNDRMAC


• WPN824N


• WNDR4700


Read more at http://www.tweaktown.com/news/43595/netgear-routers-allowing-hackers-pass-administrator-authenticati...
http://www.tweaktown.com/news/43595/netgear-routers-allowing-hackers-pass-administrator-authenticati...
Message 1 of 19
Babylon5
NETGEAR Employee Retired

Re: Netgear routers allowing hackers to pass administrator authentication

This issue was first raised here; http://forum1.netgear.com/showthread.php?t=95287 and has been repeated in several other threads, Netgear are aware of the problem and are dealing with it.
____________________________
Working on behalf of Netgear
My name is Andy
Message 2 of 19
wenglish
Aspirant

Re: Netgear routers allowing hackers to pass administrator authentication

Thanks mbob4568 for posting this here. I would never have seen it in the DGND3700 Discussion Forums (since I don't own a DGND3700).

What are the chances of Netgear's solution being anything other than - buy a newer router?

Mike
Message 3 of 19
mbob4568
Guide

Re: Netgear routers allowing hackers to pass administrator authentication

Thanks..I will check that thread for updates.I'm glad to know they are working on a fix.
Message 4 of 19
jlewter
Guide

Re: Netgear routers allowing hackers to pass administrator authentication

He never said they were fixing it ;P...

New units will probably be fixed, existing units will be up in the air. I don't mean to be a downer on this, but unless there is a big PR storm then it will not get fixed.

Do not enable remote admin as this is often a doorway for a lot of exploits.
Message 5 of 19
mbob4568
Guide

Re: Netgear routers allowing hackers to pass administrator authentication

jlewter wrote:
He never said they were fixing it ;P...

New units will probably be fixed, existing units will be up in the air. I don't mean to be a downer on this, but unless there is a big PR storm then it will not get fixed.

Do not enable remote admin as this is often a doorway for a lot of exploits.


Already did that. I hope Netgear will give us one last update though as the router is still functioning well otherwise.
Message 6 of 19
chilinux
Novice

Re: Netgear routers allowing hackers to pass administrator authentication

I want to start off by saying that I think Netgear usually makes great products at a fair price. I am not posting this out of any hate for Netgear but rather because I think they are a company worth providing feedback to. That having been said, I think the Peter Adkins disclosure[1] points to disappointing failures in Netgear's handling of security at multiple levels.

Even worse, the response from Netgear continue to be less than satisfactory. As jlewter pointed out, there has been no promise of fixing it. Instead, all I can find on the forum is statements that Netgear is aware of the problem. For the sake of Netgear and it's loyal customers, I hope they get in front of the issues being raised by this. Not only is fixing this the right thing to do, but some of these devices where sold as having "security" as a key feature. For example, the WNDR3700 is stated as helping "maintain the highest security across your network to ensure your privacy & family is safe while online." The Federal Trade Commission made it clear with their announced settlement against TrendNet[2] that they are willing to go after companies that misrepresent the level of security provided by their product.

The fact is that the proof of concept script provided by Peter Adkins is simple enough to run that a 10 year old could demonstratively find and run it. Once the script provides the administrative password is revealed by the script, the parental controls become worthless. Even worse, it might be possible to create a malicious web page that leverages javascript to issue the SOAP queries needed to manipulate the router. Since the javascript would be running on a web browser on the inside of the network, the work-around of disabling remote admin to mitigate this flaw may be of limited value.

Here is the four areas that I feel this problem indicates that Netgear could improve:

(1) Why did was this problem not caught by Netgear itself?

This is not the first time firmware support for Genie has resulted in a vulnerability to bypass authentication [3]. Netgear should have an internal security research team finding how to exploit and patch Netgear's own products. Areas of the firmware known to have a history of security issues should also be an area of focus.

(2) Improve training of Netgear customer support

From the Peter Adkins disclosure is: "The initial response from NetGear support was that despite these issues 'the network should still stay secure' due to a number of built-in security features. Attempts to clarify the nature of
this vulnerability with support were unsuccessful."

When someone submits a security report which reveals the plain text of the product's current administrative password, the response should never be that the product will still keep the network secure. That just shows a gross misunderstanding of the product and network security. Instead, the reply should be that the vulnerability report will be escalated to the internal security research team.

(3) Provide a way to directly contact the Netgear internal security research team

Also, from the Peter Adkins disclosure: "In the absence of a known security contact these issues were reported to NetGear support."

While the Netgear's main web page contains a "Contact Us," none of the options given provide a way to report a vulnerability directly to the product security research team. Again, this isn't the first time a vulnerability has been found in a Netgear product and providing a security contact email address is becoming an industry standard. Updating the contact us page should be a high priority at this point.

(4) Provide a better solution to the issue than stating being "aware"

This has to be the most frustrating aspect of how Netgear has handle this and should also be a high priority for improvement. It has been over a month since Peter Adkins initially contacted Netgear. At this point, I don't think it is unfair for customers to expect a statement of commitment to a fix and maybe a rough ETA.

Currently, the only immediate fix which isn't just a work-around is to upgrade the firmware to DD-WRT. However, Netgear then treats this as a modification outside of the scope of the manual which voids the warranty. It is unfair of Netgear to provide the customers either the option to have a firmware with a history of security vulnerabilities or to void the warranty. It also is not competitive with several other AP router offerings where DD-WRT is supported under the warranty.

Please update the manual to include flashing DD-WRT as part of the scope of the warranty or open the full source code to the Netgear firmware so the security issues can be addressed to the same standard as DD-WRT.

Thanks

References:
[1] http://seclists.org/fulldisclosure/2015/Feb/56
[2] http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-agai...
[3] http://www.pcworld.com/article/2057260/vulnerabilities-in-some-netgear-router-and-nas-products-open-...
Message 7 of 19
Fairytail
Virtuoso

Re: Netgear routers allowing hackers to pass administrator authentication

Message 8 of 19
chilinux
Novice

Re: Netgear routers allowing hackers to pass administrator authentication

minions08 wrote:
This is the official statement from NETGEAR.

http://kb.netgear.com/app/answers/detail/a_id/26840/~/netgear-product-vulnerability-advisory%3A-auth...


This is extremely disappointing. Let me break down this official statement in terms of what it means to me and the lack of a reasonable solution being provided by Netgear.

Reported Date: 2015-02-15


This line alone says so many thing in-between the lines and none of them are good. First, the full disclosure notice indicates it was reported on Jan 18th. It then indicates Netgear even created a ticket for it by Jan 20th. The issue was posted publicly on the full disclosure mailing list on Feb 12th. By Feb 15th, some websites that report computer industry news was already covering the issue.

So, by listing the reported date as Feb 15th, Netgear seems to be stating that the flaw won't be acknowledged as reported until the computer industry news picks up the story. This encourages bad behavior in the future for reporting Netgear flaws since it seems to indicate that contacting Netgear directly does not count for anything.

As we investigate this alleged security vulnerability ...


UH! What?!?! First of all, the official announcement is an entire month after being first contacted by the security researcher. But even going on the late "reported date," there was 3 days that passed to "investigate." How long does it take to run the ruby script and confirm the problem? I was able to do it in 5 minutes. Is this an indication that Netgear currently does not have any employees capable of running ruby?

... be sure remote management is turned off (this is also off by default) to prevent unauthorized devices from accessing your network from the WAN.


This seems to indicate a gross misunderstanding just how bad this problem is. From what I can tell, all that has to happen for a malicious website to attack from the LAN site is to convince a Netgear customer to run an Adobe Flash file. At that point, the password needed to re-flash the firmware is provided. An attacker may be able to install their own malicious firmware which is designed to be hard/impossible to remove while the unauthorized activity is relayed through a LAN facing device. While this may be a first mitigation step, it is far from a complete solution.

As to answering the four items I listed previously which would have helped restore my faith in Netgear, here is how I take the answer to be for each:

#1 Issue: Why did was this problem not caught by Netgear itself?

#1 Answer implied by official statement:
Netgear doesn't appear to have the skills required to audit it's products proactively for security holes and can't even run a ruby script over a three day period.

#2 Issue: Improve training of Netgear customer support

#2 Answer implied by official statement:
Netgear does not acknowledge contact with customer support as method to report security issues.

#3 Issue: Provide a way to directly contact the Netgear internal security research team

#3 Answer implied by Netgear:
Netgear still has been unable to update it's Contact Us web page.

#3 Answer implied by official statement:
Only by getting the trade media to cover the issue will Netgear acknowledge it as reported so there seems to be no point in provided additional ways to contact Netgear directly.

#4 Issue: Provide a better solution to the issue than stating being "aware"

#4 Answer implied by official statement:
Netgear recommends partial mitigation steps (which are already selected by default) but still does not provide any complete solution. The official statement raises the progress to a solution from Netgear being "aware" to "reviewing/investigating."

NETGEAR takes customer security seriously.


I am sorry but a statement like that really requires a solution to be provided. Otherwise, it is not very reassuring on it's own.
Message 9 of 19
jlewter
Guide

Re: Netgear routers allowing hackers to pass administrator authentication

Without saying too much about a previous employer I can say that guessing as to why old issues are not fixed is probably something along these lines.

The company I worked for had 2 (read that as two) guys that wrote firmware and software for the English speaking markets and English based products. You would have hardware put together by someone, sold as a package, and then the 2 guys would write the code to make it work. Testing would happen with feedback and fixes would be dealt with. Now... 6 months down the line if an issue pops up then those two guys would have to drop current projects to go back and deal with old issues. Needless to say that the issues we found in house were never dealt with (If the issue was large enough, we would just upgrade complaining customers to the "New" replacements).

I have also dealt with PACE before and they work in the same way (Only slightly worse as most firmware and software is designed by the lowest outsourced bidder!)... So faults there were not only never addressed, it was impossible for them to be due to the fact that they only had compiled code and getting a fix would mean starting a project all over again!...

It does irk me that NG does not fix this stuff when they are told about it.

There are only two or three ways I can think to actually get these things fixed...
1) Find the fault early (while the product is new to the market and important in PR terms).
2) CERT
3) Release the exploit on a public exploit database.

The exploit I found is not huge in terms of NGs total sales, but I still think knowing and leaving thousands/tens of thousands of routers open to exploit is just wrong.

In other news, older android devices are now at risk and if your phone is 1+ year old then you probably need to trash it and buy another to fix the issue...

Sadly this is the way all companies want to go these days.
I don't want to be forced to buy a new router every year or two (nor a phone), if 4-7 years of churn isn't enough for these suppliers to survive off of then they are doing something wrong.

I wouldn't ask Linksys for a fix on my old WRT54g (oddly enough they released updates for 10 years!!) but I do expect updates on some of my NG kit that's barely 1 year old..
Message 10 of 19
jerihoek
Initiate

Re: Netgear routers allowing hackers to pass administrator authentication

I have WNR 2000v3. Do I have to be worried about being hacked? Will Netgear notify us of a patch to be downloaded?

thank you!

Message 11 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers allowing hackers to pass administrator authentication

@jerihoek Most vulnerabilities can be fixed by updating the firmware of your router to the latest version.

NETGEAR sends out alert notifications to upgrade the firmware of the affected models.

You may want to check if you have the latest firmware uploaded on your router to prevent security vulnerabilities.

The latest firmware available for your router is 1.1.2.10.

ElaineM
NETGEAR Community Team
Message 12 of 19

Re: Netgear routers allowing hackers to pass administrator authentication


@ElaineM wrote:

@jerihoek Most vulnerabilities can be fixed by updating the firmware of your router to the latest version.

NETGEAR sends out alert notifications to upgrade the firmware of the affected models.

You may want to check if you have the latest firmware uploaded on your router to prevent security vulnerabilities.

The latest firmware available for your router is 1.1.2.10.

The documentation is confusing:

http://kb.netgear.com/app/answers/detail/a_id/24474

 

The documentation was originally published 01/16/2014 but was updated 10/12/2015.  What's the datestamp on the actual firmware image? Given this product is EOL'ed I would wonder if it covers all known vulnerabilies for the WNR2000v3 to current date. 

 

The most recent firmware for WNR2000v5 fixes the SOAP vulnerability:

http://kb.netgear.com/app/answers/detail/a_id/28429

 

I added that for comparison sake. The firmware for WNR2000v5 should NOT be flashed to WNR2000v3 ... Avoiding potential misunderstanding and bricking. 

 

WNR2000v3 is so old it might be a candidate for alternative firmware if any is supported and you are an alchemist. 

 

Given Netgear is based on an older version of OpenWRT why can't Netgear keep up with developments on this base and try to minimize the consequences the proprietary GUI and Genie add? Are there legal issues with GPL in being more cutting edge or is it a hardware thing?

 

Message 13 of 19

Re: Netgear routers allowing hackers to pass administrator authentication


@jerihoek wrote:

I have WNR 2000v3. Do I have to be worried about being hacked? Will Netgear notify us of a patch to be downloaded?

thank you!


You might check this out on the SOAP vulnerability:

https://github.com/darkarnium/secpub/blob/master/NetGear/SOAPWNDR/README.md

 

"Platforms / Firmware confirmed affected:

...

NetGear WNR2000v3 - v1.1.2.6 (Tested by Shelby Spencer)
NetGear WNR2000v3 - V1.1.2.10 (Tested by Roland Schiebel)"

Message 14 of 19

Re: Netgear routers allowing hackers to pass administrator authentication

I think, to recap today's events, the takeaway message is that if you own the WNR2000v3 router Netgear has kicked you to the curb. The latest firmware 1.1.2.10 recommended by a moderator apparently has the SOAP vulnerability still. This router has been End of Lifed so your best option is finding community supported open firmware that is hopefully compatible or purchasing a new router...Netgear of course to keep the revenue flow and making your old router into a decorative paperweight or doorstop. 

 

So Netgear customers should plan on buying a new router every year? Two years? And they should hope the whitehats are vigilant enough to find and publish firmware flaws and that Netgear takes security seriously enough to be eventually reactive, though not sufficiently proactive? 

 

Any recommendations on more conscientious brands of routers? 

 

Message 15 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers allowing hackers to pass administrator authentication

@jerihoek NETGEAR is working on a new firmware release for WNR2000v3 to address this potential security breach. This new firmware should be available in the next few weeks. We will let you know as soon as we receive a firm release date and notify you as soon as it becomes available.

 

In the meantime, to avoid this potential security breach, NETGEAR recommends that you ensure Wi-Fi security is turned on (this is the default setting on NETGEAR routers & gateways) to prevent unauthorized devices from joining your network. NETGEAR also recommends that you ensure remote management is turned off (this is also a default setting on NETGEAR routers & gateways) to prevent unauthorized devices from accessing your network from the WAN.

 

Thank you for being a loyal NETGEAR customer.

ElaineM
NETGEAR Community Team
Message 16 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers allowing hackers to pass administrator authentication

Hi @jerihoek,

 

I would like to inform you that NETGEAR has released the firmware that fixes SOAP vulnerability.

Kindly upgrade your firmware by downloading it here.

 

Thank you!

ElaineM
NETGEAR Community Team
Message 17 of 19
brian1951
Aspirant

Re: Netgear routers allowing hackers to pass administrator authentication

I have a WNR1000v3 and I believe I've been hacked. My PC firewall (Zone Alarm) seems to have blocked any attempts. But I think my Droid phone Android 5.1.1 and my Tablet Android 4.4 appear to be hacked. Various Security App scans show nothing.yet various web browser functions appear compromised.
Message 18 of 19
DarrenM
Sr. NETGEAR Moderator

Re: Netgear routers allowing hackers to pass administrator authentication

Hello brian1951

 

What browser functions look to be compromised?

 

DarrenM

Message 19 of 19
Top Contributors
Discussion stats
  • 18 replies
  • 13865 views
  • 3 kudos
  • 11 in conversation
Announcements

Orbi WiFi 6E