Stop using Netgear routers with unpatched security bug, experts warn

Enlarge (credit: Sinchen.Lin)

A variety of Netgear router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices, security experts warned over the weekend.

The critical bug allows remote attackers to inject highly privileged commands whenever anyone connected to the local Netgear network clicks on a malicious Web link, a researcher who uses the online handle Acew0rm reported on Friday. The link, which can be disguised to appear innocuous, then injects a command that routers run as root. The devices' failure to properly filter out input included in Web requests allows attackers to run powerful shell commands. Netgear R7000, R6400, and R8000 models have been confirmed to be vulnerable, and other models, including the R7000P, R7500, R7800, R8500 R9000, have been reported by end users as being affected.

"Exploiting this vulnerability is trivial," officials with CERT, the federally funded vulnerability coordination service, warned in an advisory published Friday. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."

Read 3 remaining paragraphs | Comments

Easter egg: DSL router patch merely hides backdoor instead of closing it

Just what you wanted for Easter: a re-gifted backdoor from Christmas.

First, DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals it. And the nature of the “fix” suggests that the backdoor, which is part of the firmware for wireless DSL routers based on technology from the Taiwanese manufacturer Sercomm, was an intentional feature to begin with.

Back in December, Eloi Vanderbeken of Synacktiv Digital Security was visiting his family for the Christmas holiday, and for various reasons he had the need to gain administrative access to their Linksys WAG200G DSL gateway over Wi-Fi. He discovered that the device was listening on an undocumented Internet Protocol port number, and after analyzing the code in the firmware, he found that the port could be used to send administrative commands to the router without a password.

After Vanderbeken published his results, others confirmed that the same backdoor existed on other systems based on the same Sercomm modem, including home routers from Netgear, Cisco (both under the Cisco and Linksys brands), and Diamond. In January, Netgear and other vendors published a new version of the firmware that was supposed to close the back door.

Read 7 remaining paragraphs | Comments

Backdoor in wireless DSL routers lets attacker reset router, get admin

Eloi Vanderbecken explains the motivation for hacking his own WiFi router in pictures.
Eloi Vanderbeken

A hacker has found a backdoor to wireless combination router/DSL modems that could allow an attacker to reset the router’s configuration and gain access to the administrative control panel. The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network.

The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources. Update: Vanderbeken reports some routers have the backdoor open to the Internet side as well, leaving them vulnerable to remote attack.

Eloi Vanderbeken described the backdoor in a PowerPoint posted with the code to Github. In his illustrated report, he explained how over the Christmas holiday he was trying to get access to the administrative console of his family’s Linksys WAG200G wireless DSL gateway wirelessly—mostly so he could limit how much bandwidth the others in the house were using. But Vanderbeken had previously turned off wireless access to the administration web console (and had forgotten his administrative password).

Read 7 remaining paragraphs | Comments