Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

An anonymous reader shares a report: You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk. Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router's password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings. What is particularly alarming is that the bug affects at least 31 different Netgear models, with the total magnitude of the vulnerability potentially leaving over a million users open to attacks. Even more unsettling is the fact that affected devices could in certain cases be breached remotely. As Trustwave researcher Simon Kenin explains, any router that has the remote management option switched on is ultimately vulnerable to hacks.

The end of Netgear?

[Futurepower(R)]

My extensive post to a previous story about Netgear, hoping to help Netgear improve: The end of Netgear?

Re:The end of Netgear?

[thomn8r]

The story about netgear vulnerabilities broke last year (and I had read your post on them - thanks!) so why is this getting posting again to /.?

Re:The end of Netgear?

[Joce640k]

Why would a consumer-grade router even have remote-admin?

And why on earth would it be enabled by default?

If it was a car they'd be forcing a recall.

Re:The end of Netgear?

[Cronq]

CVE-2017-5521 is a new problem unfortunately.

Re:The end of Netgear?

[Kremmy]

Generally when this sort of thing breaks, it keeps breaking for a while. There are a lot of new routers on that list that weren't on it the last time I looked at it. I tell you what, it's not possible to do tech effectively if you filter this stuff as reposts.

Have we patched the last vulnerability yet?

FFS, it wasn't long ago that a basic security vulnerability left 300+ million people vulnerable to attack, simply by hacking their election, both emails and the registration servers, attackers were able to insert in a bright orange trojan into office.

Have we patched that yet? Because an exploit for that is out in the wild wreaking havoc on basic security.

The virus attack package it carries lets an impersonation attack happen, it appears to be a real, except it doesn't obey any laws and seizing control of the network by seeding other devices with trojan rootkits under its control.

The malware originates from known Russian hackers.

Re:Have we patched the last vulnerability yet?

[Neuroelectronic]

Nice wordcloud bot.

Re:Have we patched the last vulnerability yet?

[operator_error]

Why bother with creating effective malware when social engineering can yield far more, while consuming fewer resources?

What you might want to do

[naughtynaughty]

Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.

Re:What you might want to do

[b0bby]

What real router would you advise which is well supported enough that it's trustworthy? I have a Ubiquiti AP which I'm happy with, but I haven't found a good small solid wired router.

Also, I would say that since the fix has actually been released, these are not "poorly supported". Every router has the potential to need to be updated, the problem comes when you have things like internet connected DVRs which will never get a firmware update. Even better would be an auto-update system for these things since while you and I might update our routers, the vast majority of people will set them up and never look at them again. Of course you and I might not trust such a system...

Re:What you might want to do

[bobbied]

Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.

Naw, As an owner of some really nice Cisco routers, stick with the consumer router at home unless you have time to learn how to configure it (or do Cisco work for a living). "Professional" gear isn't worth the trouble or cost for most of us. Not to mention that some of Cisco's offerings are really just their version of a consumer level device (that 500 series) and are pretty hard to configure for normal home use. You can do it (I managed) but it was painful to get all those video applications and games to work as expected.

I do like your access point BEHIND the router as a separate device, but he security you get is really minimal.

What you SHOULD do is buy hardware that is supported by DD-WRT or OpenWRT and erase the manufacturers firmware at your first opportunity. If you really want to be secure, buy 2 and set up a DMZ network behind a firewall for all the consumer devices you cannot control (video players for Netflix, home automation devices, cable boxes, ec) and put all your secure stuff behind another NATed subnet with a firewall.

Re:What you might want to do

[TheGratefulNet]

mcdebian and linksys - check it out.

apt-get goodness for the win!

Re:What you might want to do

[m0gely]

You use Ubiquiti but haven't found a wired only solution? Looked at EdgeRouter? If your AP is UniFi then look at their USG. It's basically the same hardware as the EdgeRouter Lite but running the UniFi software.

Re:What you might want to do

[b0bby]

I'm happy with my current setup (consumer WiFi router + Ubiquiti AP); I did look at the EdgeRouter but didn't think it would improve my setup enough to bother with it.

The Ubiquiti routers have been vulnerable to worms in the past too, so it's not like the onumer routers are the only ones with vulnerabilities.

Re:What you might want to do

[b0bby]

Yeah, I used tomato for a long time, this looks neat too.

Re:What you might want to do

[darkain]

pfSense. Roll your own. All it takes is any old generic x86 machine with 2 NICs in it at the bare minimum. (dual-port gigabit Intel NICs are like $20 on eBay). Or, you can buy pre-built pfSense boxes. Fast, secure, feature rich, and constantly up-to-date.

Re:What you might want to do

[darkain]

This is why I prefer pfSense. It has Cisco like features, but with a DD-WRT/OpenWRT like interface. It is the best of both worlds!

Re:What you might want to do

[The-Ixian]

I have heard that the Ubiquiti Edgerouter is a low cost, fully featured piece of hardware.

https://www.ubnt.com/edgemax/e...

Never owned one myself, but a lot of people who listen to Security Now seem to like it.

Re:What you might want to do

[The-Ixian]

Real weenies write their own iptables rules!

Of course... I am not a real weenie so I use fwbuilder (https://sourceforge.net/projects/fwbuilder/)

Re:What you might want to do

[TheGratefulNet]

I gave up on pfsense. it does not fail gracefully. lose power and reboot and eventually you get corrupted boot media. when that happens, remote mgmt task crashes and you have to reinstall.

too bad. monowall was good but pfsense was horrible for me.

Re:What you might want to do

[T.E.D.]

What if my main concern isn't really "security" on my back end, but not contributing to the botnet problem on the front end?

Re:What you might want to do

[aaarrrgggh]

Ubiquiti has the EdgeRouter-X ($50), and there is always pfsense/netgate sg-100 ($150). Plenty of reliable, well supported hardware out there.

Re:What you might want to do

[naughtynaughty]

I solve loss of power issues with a UPS.

But before I had the UPS I had regular power outages at my OCONUS location and it has rebooted fine every time. Current uptime 110 days with about 4TB of I/O through it. All on a cheap 10W box that cost $120 + a SODIMM and mSATA card. Pairs with another identical box in the US for a full house always on VPN so I can bypass all the geo restrictions.

Stick my AP and everything else behind it.

Easy to use, easy to manage.

Re:What you might want to do

[TechyImmigrant]

>What real router would you advise which is well supported enough that it's trustworthy?

I use an NUC with Linux and set up routing tables, firewall, a fail2ban listener (so my servers can tell it to do the filtering) and NAT. None of this is hard and step by step instructions are widely available. I added a second ethernet port to the NUC via the M.2 port and a 3d printed base to hold the connector. The router doesn't mess with DNS and all things point to Google's DNS. It's simple and doesn't rely on vendor support beyond Linux and support for that is as good as it gets.

I use ubiquity APs because they don't suck too much.

Re:What you might want to do

[bobbied]

Run OpenWRT or DD-WRT and don't enable remote management...Like I said... If you want to run Cisco gear, knock yourself out, but it's over priced and over complicated for use at home.

NEXT!

Re:What you might want to do

[antdude]

What are good cheap consumer grade wifi routers that are fully supported then?

Re:What you might want to do

[AHuxley]

Get more OS brands and AV firms to offer something like Avast 2015 new feature: Home Network Security scanning (4 November 2014)
https://blog.avast.com/2014/11...
Find any device that responds to a list of well understood admin/passwords settings.
That won't help with all device issues but it might help a bit.

Out of the box configuration

[davidwr]

Consumer routers should either require setup prior to use, with "remote access" off by default.

In the alternative, they should be pre-configured with remote access off and local access turned off unless the user presses a button on the router shortly before logging into the router from the LAN side - something akin to the "WPS" push-button-to-connect-to-WiFi setup. The latter is needed to prevent malware from silently logging into the router with default credentials.

Re:Out of the box configuration

Spectacular idea! The only bad thing is the cost of the extra support personnel to man the phone lines when people don't bother to read the detailed instructions on how you've obfuscated what used to be a straightforward task will be coming from your paycheck. Sorry. But great idea!

Re:Out of the box configuration

[Neuronwelder]

I'm all for buttons. They keep people who should not be there, out!

Re:Out of the box configuration

[drinkypoo]

Consumer routers should either require setup prior to use, with "remote access" off by default.

I have literally never seen a consumer router which has remote management turned on by default, neither with the original firmware nor community firmware. I am willing to believe that they exist, but I've even owned two or three Netgear APs and none of them had remote management activated by default either. Especially now that so many devices have an easy setup button, most people probably never actually go into their router config after following the included instructions to change the network name and maybe the channel.

Re:Out of the box configuration

[b0bby]

Almost all (including these Netgears) ship with remote access off by default. This isn't going to be a huge problem for most people who won't have turned that on unless they have malware already on their systems which could exploit this locally.

Re:Out of the box configuration

[JustNiz]

The button thing is a great idea, at least until the router no longer has a default admin password. Alternatively it could require a usb memory stick with a "token" on it to be inserted in the router. You would get the token when you register the device on the manufaturers website.

Re:ddwrt / openwrt / or some variant

[bobbied]

RGR that... DD-WRT for those who like the common feature set, flashy GUI and their hardware is supported and OpenWRT for the rest of us control freaks... Use them both.

Switch to turris omnia router

[Cronq]

Switched from netgear to turris omnia. Netgear firmware and the way they "support" it is a big joke (broken version released; reverting versions; no real testing etc).

So now happy turris omnia router user.

Ubiquiti

[zerofoo]

Cheap - easy - reliable - secure. This is what most home users should run.

Their Amplifi line looks fantastic for most home use.

Asus routers?

[Futurepower(R)]

"I'm not sure any of the alternatives are much better than Netgear..."

Someone told me Asus routers are better. I looked and they do seem good.

Re:ddwrt / openwrt / or some variant

[Woldscum]

RGR that... DD-WRT for those who like the common feature set, flashy GUI and their hardware is supported and OpenWRT for the rest of us control freaks... Use them both.

The problem is for me on a R7000. DD WRT breaks the USB 3 port and the WAP button. My $50 Canon all in one will only connect to my wireless with WAP. I needed to use the R7000s USB 2 port and set up the printer as a IP network printer. But this killed Airprint and scanner on network. DD WRT will not support the USB 3 port because a custom driver needs to be reverse engineered. Also with DD I have a 150-160M cap on speed on both 5 and 2.4. I have used both Open and DD for years and like them. BUT it does not use the R7000 hardware fully.

Re:ddwrt / openwrt / or some variant

[EvilSS]

protect yourself

Yep, running a Netgear Nighthawk but it's been running Tomato Shibby since day one. The feature set is way beyond anything in the stock firmware, and I don't have to worry about Netgear's incompetence.

Re:ddwrt / openwrt / or some variant

[bobbied]

Buy some real router hardware that is supported by DD-WRT or Open-WRT so you have a choice....

I NEVER buy a router that is not already supported (or likely will be supported) by either of these. My last router was from Linksys and was part of their WRT line so OpenWRT was pretty much a given (being that's what it already runs under the Linksys web GUI anyway). My WRT-3200AN is a good choice if you catch it on sale. It has SATA, USB3 and last I saw the WAP button worked if you needed it too, even on the factory firmware.