On December 9, 2016 we first learned of a command injection vulnerability in some Netgear routers. In the worst case, simply viewing a malicious web page could result in your router being hacked. What follows is a recap and expansion of the issue, along with the latest developments. Then, some Defensive Computing suggestions for protecting a router.
Netgear is communicating via their Security Advisory for VU 582384. It has been updated many times since it was initially published and should have the latest information.
To date, the company has confirmed that 11 router models are vulnerable. You might think that enough time has passed for this list to be final, but the advisory still says "NETGEAR is continuing to review our entire portfolio for other routers that might be affected by this vulnerability."
Initially, Netgear issued beta firmware for all the vulnerable models, and it currently has fully-debugged, production firmware for three models. The beta software was, apparently, flawed, the advisory says "If you do not upgrade your firmware to the production version, the potential for this command injection vulnerability remains."
Netgear has pledged to fix every vulnerable router. This is not always true with routers, many vendors have, at times, not patched known vulnerabilities when a router was deemed too old (End of Life is the official term for "too old").
Netgear has been publicly dinged for ignoring the initial report of this vulnerability. However, the person who found the problem, who goes by AceW0rm, only emailed Netgear once. That's it, one single email message on August 25, 2016. A couple days ago, he tweeted that Netgear told him they simply missed his email.
We can't know if this is true, but anyone who has ever dealt with a large bureaucracy realizes how likely it is. Sending one single email to a large company and expecting a response, strikes me as unrealistic. It's not clear if CERT ever tried to contact Netgear before they published their warning to turn off Netgear routers.
In the first few days, a number of commands were suggested that let Netgear owners test if their router was vulnerable. The best, came from Heise in Germany. Not only is their suggestion the least impactful on the router, Heise was the only one to offer a screen shot of what a bad response looks like. Their suggestion, in English, was
If this results in a web page with the word "Vulnerable", the router is vulnerable.
Note that all the suggested tests have to be run from a LAN-side device. You can not use them to test your parents' router without visiting Mom and Dad, or, remotely controlling one of their computers.
Netgear routers support alternate firmware, DD-WRT. The current flaw should not affect DD-WRT. Any more, that is. This flaw was reported in DD-WRT back in July 2009.
A temporary work-around, shown below, kills the vulnerable web interface of the router. It was suggested by Bas van Schaik and Netgear, for whatever reason, never commented on it at all.
Note that the quotes around "http" must be straight rather than slanted.
To verify that the web interface is truly offline, simply navigate to www.routerlogin.net and hope that it fails. This is a temporary fix, re-booting the router restores things back to normal.
But that is insufficient as bad guys can learn the LAN side IP address of the computer that loaded the malicious web page. Since most routers have an IP address that ends in 1 (i.e. 192.168.1.1 for example) it gives the bad guys a target to aim at. That is, if the computers IP address is 192.168.0.22, then it is likely that the router on that network is 192.168.0.1.
So, don't do that. Many, if not most, routers can be re-configured to use a different LAN side IP address.
For example, there is no need to use standard TCP/IP ports when logging on to the web interface of a router. That is, rather than logging in with
many routers let you login with
where 9999 is an alternate port chosen specifically to make this type of attack harder. Sadly, Netgear routers do not allow you to specify alternate ports.
Then too, every computing device on a network does not have to be allowed access to the router. There are a number of ways to prevent this: VLANs, guest networks (maybe), limiting access by IP address, by MAC address or to Ethernet connected devices.
Different routers offer different options, however not one of these came up in regard to this Netgear problem, so my guess is that Netgear doesn't offer any of these protections (I don't have access to a vulnerable Netgear router so I can't confirm this).
Finally, Netgear has a Security Advisory Newsletter, that they claim sends announcements once a month. This is wrong, announcements need to be sent on an as needed basis. I signed up for the newsletter and there was no email about the release of beta firmware or about the production firmware for the first three models. I don't know if Netgear contacted people who registered their routers.
THE BIG LESSON
Taking a step back, it is important to see the big picture here.
Netgear, and most other consumer oriented routers, are simply not appropriate for most people. While they may be a step up from an ISP-issued router (usually the worst option), they suffer from a flaw worse than any single security issue - updating the firmware.
It's a safe bet that the vast majority of router owners are not keeping tabs on firmware releases. Nor should they have to.
Manually updating router firmware is a tradition that needs to be retired. Non techies need routers that self-update. Don't ask, don't tell, just update. Like Chromebooks.
Some routers that can update themselves are the Google OnHubs, Google Wifi, Eero, Luma, Netgear's own Orbi, the Synology RT1900ac, the Starry Station, the Turris Omnia and some Linksys and FRITZ!Box models.
I can't see a case for giving any router that requires manual firmware updates to a non-techie. That should be the lesson from this Netgear security vulnerability.
Now that Computerworld, and all of parent company IDG's websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput