NETGEAR Routers Vulnerable To Weblink-based Exploit

[Dan Goodin]

Dan Goodin at ArsTechnica reports that security experts warned this weekend that a variety of NETGEAR router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices.

The bug allows remote attackers to inject highly privileged commands whenever anyone connected to the local NETGEAR network clicks on a malicious Web link.

Update: NETGEAR has published this technical bulletin, with links to Beta firmware that fixes the vulnerability

Continue reading on ArsTechnica

 

[AntonK]

http://lifehacker.com/psa-several-netgear-routers-have-an-easily-exploit...

Bummer!

Antonk

 

[dilantin22]

Thought I'd post about this Netgear vulnerability in the forums in case people don't know about it yet.

There is no firmware fix, yet. However, there is a temporary solution using the exploit itself to protect the router but it gets reset when the router is rebooted. See CERT VU#582384 at https://www.kb.cert.org/vuls/id/582384 and ArsTechnica for details.

Looks like it affects many Netgear routers. ArsTechnica and users are reporting many router models being affected.

Netgear R7000, R6400, and R8000 models have been confirmed to be vulnerable, and other models, including the R7000P, R7500, R7800, R8500 R9000, have been reported by end users as being affected.

People can check if they are vulnerable by using a similarly crafted link. Details posted on ArsTechnica article.

The simple exploit published by Acew0rm is powerful because it works without any sort of authentication and works even when vulnerable routers don't have their remote management interfaces exposed to the Internet. To bypass the authentication requirement, the exploit carries out a cross-site request forgery, a hacking technique that injects unauthorized commands into a Web application by exploiting the trust it has in a user's browser.

Sources:
1. http://arstechnica.com/security/201...-hackers-to-seize-control-of-netgear-routers/
2. https://www.kb.cert.org/vuls/id/582384
3. http://kb.netgear.com/000036386/CVE-2016-582384

 

[sfx2000]

https://kalypto.org/research/netgear-vulnerability-expanded/

Post includes how to check for the bug (implement a hack) to see if vulnerable or not...

• NetGear AC1750-Smart WiFi Router (Model R6400)
• NetGear AC1900-Nighthawk Smart WiFi Router (Model R7000)
• NetGear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
• NetGear AC2350-Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
• NetGear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
• NetGear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
• NetGear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
• NetGear AD7200-Nighthawk X10 Smart WiFi Router (R9000)

Hacks like this are fair warning for all vendors - while this little hack leverages the router's IP - e.g. 192.168.1.1 in the attack URL, what happens if a vendor has mDNS or DNSmasq, and the URL has the captive item there?

That's more scary...

The real problem is that all tasks run at the same userlevel and as such, the same privileges, which is typically root (admin)... and this is due to the age of most vendors' board support packages that they make their SW run on...

 

[Wutikorn]

I tried this vulnerability test on my Asus RT-AC68U running AsusWRT-Merlin 380.64 Beta 1, and I didn't get any error(instead, I got "Setting have been uploaded. Web page will..."). Does it mean I am vulnerable too? Or is it only Netgear? Note that I was doing this through OpenVPN as I'm not at home.

 

[RMerlin]

I tried this vulnerability test on my Asus RT-AC68U running AsusWRT-Merlin 380.64 Beta 1, and I didn't get any error(instead, I got "Setting have been uploaded. Web page will..."). Does it mean I am vulnerable too? Or is it only Netgear? Note that I was doing this through OpenVPN as I'm not at home.

This exploit is very specific to Netgear's firmware, it does not affect any other firmware.

 

[thiggins]

Update: NETGEAR has published this technical bulletin, with links to Beta firmware that fixes the vulnerability

 

[NETGEAR Guy]

Please read what has been disclosed publicly by NETGEAR from the knowledge-based article, which lists the affected routers and links to beta firmware updates for the three products that were first identified: http://kb.netgear.com/000036386/CVE-2016-582384?cid=wmt_netgear_organic

If you wish to keep up to date on NETGEAR security, please visit: https://www.netgear.com/about/security/?cid=wmt_netgear_organic and sign up to receive the Security Advisory Newsletter.

 

[bodean]

Hope they issue a beta FW for R7800 sooner rather than later

 

[microchip]

@NETGEAR Guy

NG was notified about this issue months ago, and didn't act. Only when the person who discovered it went public, did NG act on it. NOT cool! Please, react faster and don't drag your feet!

 

[pege63]

Sidan på 192.168.x.xxx fungerar inte
192.168.xx.xxx skickade ingen data.

ERR_EMPTY_RESPONSE

So if it said does NOT work, ITS safe?
Does send NO data, its safe?

 

[DanH]

If only ars would stick to tech instead of trying to push their politics....oh well one useful article out of 50 ain't bad I guess.

 

[Killhippie]

Hope they issue a beta FW for R7800 sooner rather than later

R7800 is not on the list of effected routers.

 

[Makaveli]

R7800 is not on the list of effected routers.

Hmm look at post #4

 

[JCJiffy]

Tried the vulnerability check on my X4S R7800 and could not telnet into that port. Which means not vulnerable?

Anyone else tried on their R7800 yet?

 

[Killhippie]

Hmm look at post #4

Thats not Netgears list, and I have tried the attack on my R7800 router and I got a blank page with a 0 in the top left hand corner, either that or the page wouldn't load. I didn't get any information about the routers kernel build or anything else. Also by now I would have hoped Netgear would have tested the nighthawk main range of routers and then be testing the offshoot products for certain countries or shops, as well as other routers like the D series etc.

 

[TheLostSwede]

Yeah, tried my R7800 as well, I get a 0 in the corner of the browser, no telnet access. That is using the latest firmware though, so older firmwares might be affected.

 

[Killhippie]

Yeah, tried my R7800 as well, I get a 0 in the corner of the browser, no telnet access. That is using the latest firmware though, so older firmwares might be affected.

That's possible, I'm on the latest firmware too. One thing I have noticed is that all the vulnerable routers so far appear to be Broadcom units, not Qualcomm. Maybe a different firmware is used with Qualcomm units? (this is completely hypothetical and I may be well off the mark)

 

[sm00thpapa]

Netgear got back to me today and stated the R7800 is not affected as far as they know.

 

[Killhippie]

Netgear got back to me today and stated the R7800 is not affected as far as they know.

It failed on the exploit test anyway so it was okay, at this point I trust my own testing more than Netgears