Home
 » ISP News » 
Sponsored

Trustwave Find Multiple Vulnerabilities in NETGEAR Broadband Routers

Thursday, February 8th, 2018 (6:00 pm) - Score 1,757
netgear nighthark r7000

Digital security specialist Trustwave has this evening detailed 5 recently discovered vulnerabilities in NETGEAR routers, which affects multiple models and this includes some of the more recent hardware (e.g. R/D8500). Time to patch your firmware.. again.

According to Trustwave’s SpiderLabs division, the vulnerabilities range from exploits that would allow an attacker to access administrative credentials (i.e. by manipulating a password recovery feature) to reading any file or executing any command on the device.

The risk is significant and if you own any of the following routers or broadband modem routers then it’s time to update the firmware. NETGEAR has already corrected the flaws ahead of this publication.

List of NETGEAR Routers At Risk
DGN2200v4
R6100
R6220
R6250
R6300v2
R6400
R6400v2
R6700
R6900
R6900P
R7000
R7000P
R7100LG
R7300DST
R7500
R7500v2
R7800
D7800
R7900
R8000
R8300
R8500
D8500
WNDR3400v3
WNDR4500v2
EX6200v2

Unfortunately this isn’t NETGEAR’s first rodeo and they, like many other manufacturers, have had to deal with quite a lot of problems over the past few years (examples here, here and here). As for the vulnerabilities themselves, they are as follows below.

The Five Vulnerabilities

TWSL2018-002: Password Recovery and File Access

Trustwave SpiderLabs Advisory

NETGEAR advisory

Some routers allow arbitrary file reading from the device provided that the path to file is known. Total of 17 products are affected.

TWSL2018-003: Finding 1: Post-Authentication Command Injection

Trustwave SpiderLabs Advisory

NETGEAR advisory

This one affects six products and reflects a root level OS command execution via the device_name parameter on the lan.cgi page, although the attack requires authentication.

TWSL2018-003: Finding 2: Authentication Bypass

NETGEAR advisory

This also affects large set of products (17) and is trivial to exploit. Authentication is bypassed if “&genie=1” is found within the query string.

TWSL2018-003: Chained Attack: Command Injection

NETGEAR advisory

This is a three-stage attack leveraging three separate issues: CSRF token recovery vulnerability and the two findings in TWSL2018-003. As a result, any user connected to the router can run OS commands as root on the device without providing any credentials.

TWSL2018-004: Command Injection Vulnerability on D7000, EX6200v2 and Some Routers

Trustwave SpiderLabs Advisory

NETGEAR advisory

Only 6 products are affected, this allows to run OS commands as root during short time window when WPS is activated.

Delicious
Add to Diigo
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he is also the founder of ISPreview since 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
7 Responses
  1. Tom

    I owned a R9000 (needs to be added to your list).

    3 weeks ago I was hacked, all settings, passwords changed, and even Firmware updated. All via Wi-Fi.

    Netgear is keeping an extremely low profile about this.

    Following this very serious incident and a few others since I bought the R9000 last summer, I asked Netgear to take back all their equipment back and to refund me in full.

    Netgear have accepted, as soon as I threatened to takeLegal action.

    Obviously, they are aware of these serious security issues and are incapable to fix them.

    • The R9000 isn’t officially listed as being affected by any of the above listed problems, so maybe it’s a different issue or they’ve overlooked something.

    • baby_frogmella

      Strange, I’ve been using a R9000 since Dec 2016 and not had it hacked (I use WPA2 encryption) or heard reports of it being hacked through wifi. It might be a good idea to post exactly what happened on SNB forums (Netgear section) and/or the official Netgear forums, It would give Netgear staff a chance to look into this and if necessary, fix this issue for other users at least. Their phone support staff aren’t that great technically so I would stay away from them.

  2. Dude Lebowski

    Are you referring to this blog post? https://www.trustwave.com/Resources/SpiderLabs-Blog/Multiple-Vulnerabilities-in-NETGEAR-Routers/

    If so, they are not new vulnerabilities, but merely a post scriptum about the ones discovered a year ago…

  3. Mike

    Would installing 3rd party firmware (ie: DD-WRT) solve this?

    • Phil

      Yes – because these are issues in the Netgear firmware, rather than the hardware (which is essentially just a board with other peoples chips on it).

      I’ve got an R7800 and run LEDE (long story, it was a fork of OpenWRT and is now becoming the new basis for OpenWRT) – which you can install a heap of packages for – the only thing you lose is the hardware acceleration, but I’ve got a build using Qalcomm fast path and can do 1Gbps wan to lan with ease.

  4. Dude Lebowski

    Read the blog post – these are not new issues, but rather technical details of the issues found last year and fixed as of September.

    The very first line in the blog post on Trustwave says as much:

    “Last year I discovered multiple vulnerabilities in NETGEAR products. Now that these vulnerabilities have gone through the disclosure process and have been patched we can discuss the technical details.”

    At the end:

    “Trustwave SpiderLabs has worked with NETGEAR through our responsible disclosure process to make sure that these vulnerabilities are addressed.”

    Yet news sites jump the gun and miss the point. So much for “responsible disclosure” 😉

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £15.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: BLACKFRIDAY
  • Vodafone £20.00 (*22.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.50
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Plusnet £23.99 (*34.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Origin Broadband £24.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (2265)
  2. FTTP (1723)
  3. FTTC (1498)
  4. Broadband Delivery UK (1480)
  5. Openreach (1213)
  6. Politics (1211)
  7. Business (1079)
  8. Statistics (952)
  9. Fibre Optic (871)
  10. Mobile Broadband (869)
  11. FTTH (803)
  12. Ofcom Regulation (800)
  13. Wireless Internet (796)
  14. 4G (753)
  15. Virgin Media (735)
  16. Sky Broadband (542)
  17. TalkTalk (519)
  18. EE (502)
  19. Vodafone (393)
  20. Security (367)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules