NETGEAR routers breached

Trustwave, a leading threat, vulnerability and compliance management company has publicly revealed five new major security holes in certain NETGEAR routers.

Of course, Trustwave and NETGEAR worked behind the scenes to develop new firmware, and the main point of this article is to get NETGEAR router owners to ensure their firmware is updated.

Routers (R) and their modem/router (D) variants affected include (this is not an exhaustive list)

R6100 R6220 R6250
R6300v2 R6400 R6400v2
R6700 R6900 R6900P
R7000 R7000P R7100LG
R7300DST R7500 R7500v2
R7800 D7800 R7900
R8000 R8300 R8500
D8500 WNDR3400v3 WNDR4500v2
EX6200v2 DGN2200v4

The five vulnerabilities are (not all affect every router):

TWSL2018-002: Password Recovery and File Access

Trustwave SpiderLabs Advisory

NETGEAR advisory

Some routers allow arbitrary file reading from the device provided that the path to file is known. Total of 17 products are affected.

TWSL2018-003: Finding 1: Post-Authentication Command Injection

Trustwave SpiderLabs Advisory

NETGEAR advisory

This one affects six products and reflects a root level OS command execution via the device_name parameter on the lan.cgi page, although the attack requires authentication.

TWSL2018-003: Finding 2: Authentication Bypass

NETGEAR advisory

This also affects large set of products (17) and is trivial to exploit. Authentication is bypassed if “&genie=1” is found within the query string.

TWSL2018-003: Chained Attack: Command Injection

NETGEAR advisory

This is a three-stage attack leveraging three separate issues: CSRF token recovery vulnerability and the two findings in TWSL2018-003. As a result, any user connected to the router can run OS commands as root on the device without providing any credentials.

TWSL2018-004: Command Injection Vulnerability on D7000, EX6200v2 and Some Routers

Trustwave SpiderLabs Advisory

NETGEAR advisory

Only six products are affected, this allows to run OS commands as root during short time window when WPS is activated.

How do I know my modem/router is affected?

A router is a computer with CPU, RAM, and storage that can all be accessed. If someone gains administrative access and uploads a custom OS to your router, they can even disable firmware updates and uploads. At this point, your router is now just a plain old infected router.

There are few obvious signs. Things to look for include

  • Increased internet traffic – look at your ISP account and see if there are any increases over the usual level. While its easy to blame the NBN or your ISP slow internet speeds when they are usually fast are a dead giveaway
  • Router acting ‘strangely’. Have you had to reboot the router, has it lost connectivity to the internet, is it simply not working as you remember it
  • Your router lights – especially the internet connection lights are very active
  • The DNS is not the usual one (check with IPCONFIG and compare to your ISP’s DNS list or use F-Secure free router checker
  • You are redirected to websites or search engines you did not select
  • New bookmarks appear in your browser
  • You see more advertisements than normal
  • Your router admin password does not work

How to update your router or modem router

If you lack the skills to update firmware or tighten up network security then call your local computer support geek and get them to come to you.

  • Visit NETGEAR Support.
  • Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
  • Click Downloads.
  • Under Current Versions, select the download whose title begins with Firmware Version.
  • Click Release Notes.
  • Follow the instructions in the firmware release notes to download and install the new firmware.

Then perform good router hygiene

  • Change the administrator password – don’t reuse any other password
  • Change the Wi-Fi login password
  • Look at the connected devices (if you have access to the administration interface) and block any unknown ones.
  • Use Mac address filtering only to allow known Mac addresses to access it
  • Turn off the Guest Network (unless you need it)
  • Make sure firewall settings (if applicable) are enabled
  • Turn off UPnP (it should not affect the home network unless you have a network storage device that uses it).
  • Install network-based security – devices like Trend Micro Home Network Security offer hardware and software protection to all devices on the network and Fingbox can help prevent unwanted intrusions