Story image

Trustwave uncovers major vulnerabilities in NETGEAR routers

31 Jan 17

Your NETGEAR router is at risk of being hacked and users should check to see if theirs needs patching, according to a new blog by Trustwave SpiderLabs.

Researchers at SpiderLabs found that some Netgear routers can be hacked through their web server by using unauthenticated password disclosure – a method that can gain vulnerable password credentials.
After experimenting on a number of Netgear router models, the researcher found another vulnerability that will give credentials for any parameter.

The vulnerabilities, now named CVE-2017-5521 and TWSL2017-003, were sent to Netgear in April 2016 but Trustwave says that Netgear has been slow to respond.

“In our initial contact, the first advisory had 18 models listed as vulnerable, although six of them didn't have the vulnerability in the latest firmware. Perhaps it was fixed as part of a different patch cycle. The second advisory included 25 models, all of which were vulnerable in their latest firmware version,” the blog says.

The vulnerability affects a large number of routers, possibly those in the millions, Trustwave says. The vulnerabilities can be used to conduct a remote attack if administration is set to internet-facing.

While it is not turned on by default, Trustwave says anyone with physical access to a network with a vulnerable router can exploit the vulnerabilities. Routers can also be used as part of botnets.

“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” Trustwave says.

While Netgear provided a fix for a small number of routers. There are 18 patches and two models that are now ‘not vulnerable’, there are still a number that have not been patched and even a Lenovo router that uses Netgear firmware, Trustwave says.

“Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patch more models. Over that time we have found more vulnerable models that were not listed in the initial notice, although they were added later. We also discovered that the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerable as well,” the blog says.

While communication issues with Netgear delayed processes, the company has since committed to push out firmware to unpatched models.

Netgear also committed to working with Bugcrowd, a third party vendor that oversees bugs, patching and provides ‘bug bounty’ rewards to researchers.

Trustwave recommends those with Netgear routers check the Knowledge Base Article to see if you are affected.   

Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
Kordia launches Women in Tech scholarship at the University of Waikato
The scholarship is established to acknowledge and support up-and-coming female talent and future technology leaders.