Reply

Reset password page available through 'internet' while 'remote management' off?

Reset password page available through 'internet' while 'remote management' off?

So, going through the logs on the router, i came across this entry:

[DoS attack: LAND] attack packets in last 20 sec from ip [x.x.x.x], Tuesday, Dec 17,2013 20:41:20

Turns out that the ip address is my 'wan' ip address - assigned to me by the isp.

Strange, right?

What's even more strange is that if i hit this IP address, i'm being asked for a username and password to my router. I disabled that setting in the router settings (the 'remote management' checkbox on the 'remote management' tab).

When i press cancel, i am being redirected to this page:

http://x.x.x.x/MNU_access_setRecovery_index.htm

This is the router password recovery page, asking me for the router's serial number. I haven't clicked through this page to see what happens.

But, isn't this a big security problem waiting to happen? If there's some list of serial numbers, someone just needs to keep on pushing these numbers to someone's page and hope that it will return the person's router password.

Shouldn't this page be hidden or something?
Message 1 of 7
Mars Mug
Virtuoso

Re: Reset password page available through 'internet' while 'remote management' off?

therealroland wrote:
... I haven't clicked through this page to see what happens.


Maybe you should just to see how far you get; it would be unforgivable if just providing the serial number returned the password.

I do agree that what you see is undesirable, unless I have set up remote management I would prefer there to be no response at all on the WAN side, not even a login screen.
Message 2 of 7
phreebsd
Aspirant

Re: Reset password page available through 'internet' while 'remote management' off?

that serial number page is normal when you provide a wrong password or when u dont provice one at all.

you setup recovery questions ahead of time. once you enter the serial number you will be presented with the recovery questions you setup prior that you must answer.
Message 3 of 7

Re: Reset password page available through 'internet' while 'remote management' off?

OK, first test:

- firmware: V1.0.1.22_1.0.15
- verified that remote management has been switched off
- rebooted the router
- entered the ip address my isp has assigned to me
- entered my username / password
- got into the router, to manage all the settings.

Mind you - remote management has been switched off.

@phreebsd: i understand what you're saying, but as you can see above, the remote management has been disabled

or more precise: the checkbox that has a label 'remote management' is set to 'not checked'...
Message 4 of 7

Re: Reset password page available through 'internet' while 'remote management' off?

I've filed a ticket with Netgear support about this issue.
Message 5 of 7
phreebsd
Aspirant

Re: Reset password page available through 'internet' while 'remote management' off?

i did fail to see that detail in your post.

where are you accessing the router from even though you are hitting the external address?

i would think if you are internal you would be able to manage the router on both internal and external addresses regardless of the remote management setting.
Message 6 of 7

Re: Reset password page available through 'internet' while 'remote management' off?

Very good point: this behavior exists only when hitting the external IP from within the home network. When i use my phone's browser (when using the cellular data connection) i do get proper behavior - a 'connection has timed out' message in this case. I was not aware that using the external IP had this behavior. I will withdraw the ticket at NetGear Support.
Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 4090 views
  • 1 kudo
  • 3 in conversation
Announcements

Orbi WiFi 6E