NOTE: I followed this story for a number of days. Updates are at the end. And, see my follow-up story: Updates and more on the Netgear router vulnerability
- - - -
At least two Netgear routers, the R6400 and R7000 are vulnerable to a command injection flaw that is easy to exploit and could lead to the total takeover of the routers. This was disclosed yesterday, December 9th, and there has, as yet, been no response from Netgear.
Netgear routers
Documentation on the flaw, so far, has been poor. Most importantly, it's not clear, to me at least, whether the vulnerability can be exploited remotely, from the LAN side of the router or both. If it is locally exploitable, then using a non-standard IP address for the router should offer some defense.
In addition, the only vulnerability test offered so far, starts a Telnet daemon on a non-standard port. There really needs to be a less invasive test.
Twitter user Acew0rm1, who found the flaw has promised a video with more details.
If you own a Netgear router, it's hard to know what to do, especially since there is no complete list of vulnerable models. For owners of the R6400 and R7000, CERT has warned that "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."
If nothing else, Netgear owners should do what they can to be notified about new firmware. This means registering the router with Netgear and subscribing to their Security Advisory Newsletter. In addition, older Netgear advisories have suggested checking the NETGEAR genie App for updated firmware. It's available on iOS, Android, Windows and OS X.
Owners of the R7000 and R6400 should also keep an eye on the tech support page for these models (here and here).
Anyone considering a Netgear router, perhaps their new Orbi with its outstanding Wi-Fi performance, can use this issue to gauge how the company deals with security. Specifically:
- How quickly do they acknowledge the problem?
- Do they offer a full accounting of which models are vulnerable and which are not?
- Do they offer any work-arounds to mitigate the problem before updated firmware is available?
- How quickly is updated firmware released?
- Do they admit that some vulnerable routers will not be patched?
On the last issue, Netgear performed well in regard to the NetUSB flaw back in May 2015. Their ReadySHARE Product Vulnerability Advisory listed many vulnerable routers that were End-Of-Life (EOL) and thus would not be patched. All router vendors walk away from old models, all we can hope for, is that they are honest about it.
- - - - - - - - - -
UPDATE: December 10, 2016 11PM ET.
1. CERT has updated their advisory to say that "Community reports also indicate the R8000 ... is vulnerable."
2. Twitter user Acew0rm1 has released a short YouTube video about the flaw he discovered.
3. The video shows that you can test for the flaw from the LAN side of a router. First, you need to know the IP address of your router. My 2013 blog, Find the IP address of your home router, shows how to do this from Windows, iOS, Android, OS X and Chrome OS. Test your router with
http://1.2.3.4/cgi-bin/;reboot
where 1.2.3.4 is the LAN side IP address of your router. Yes, there is a semi-colon just before "reboot." If this reboots the router, it is vulnerable.
4. The flaw is remotely exploitable, see below for how.
5. Acew0rm1 claims that Netgear was informed of this four months ago.
- - - - - -
UPDATE December 11, 2016 1AM ET
The video referenced above shows how vulnerable routers can be infected by loading a malicious web page or advertisement. The technique, abusing an HTML IMG tag to issue a command to the router, has been seen many times before. An example is below. As before, 1.2.3.4 represents the LAN side IP address of the router.
<img src="http://1.2.3.4/cgi-bin/;reboot"
width="0" height="0" border="0">
The "reboot" command is just an example. The flaw allows for many commands and total takeover of the router.
If the attacker is lazy, then, as I suggested above, assigning the router a non-standard IP address, offers some defense. However, a more thorough attacker may be able to learn your LAN-side IP address and then scan your network looking for the router.
This method of attack is not related to Remote Administration (a.k.a. Remote Management). Having it disabled offers no protection.
- - - - -
UPDATE December 11, 2PM ET
Verified, via Twitter, with @Acew0rm1 that this flaw can be exploited by an un-authenticated attacker. Also, he emailed Netgear, informing them of this flaw, back on August 25, 2016.
- - - - - - - - -
UPDATE December 11, 2016 7PM ET
Lots of additional information on this Reddit thread. For example, the same flaw was reported in July 2009 in DD-WRT.
Also, Kalypto Pink has tested many other Netgear routers and reports that the Nighthawk models listed below are also vulnerable.
Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
Nighthawk X8 Tri-Band WiFi Router (Model R8500)
In addition, he confirms that the previously reported R6400, R7000 and R8000 are vulnerable.
The following points are from a great article by Bas van Schaik: A temporary fix for CERT VU#582384 (CWE-77) vulnerability for Netgear R7000 and R6400 routers.
First off, he offers a totally non invasive test for this vulnerability.
http://1.2.3.4/cgi-bin/;uname$IFS-a
where, again, 1.2.3.4 is the LAN side IP address of the router. A good result is an error or an empty page. Anything else, means the router is vulnerable. For example, a vulnerable router might show the following line:
Linux R7000 2.6.36.4brcmarm+ #30 SMP PREEMPT ….
This can be made even easier, by referring to the router by name. Netgear routers use routerlogin.net and/or routerlogin.com. So, that leaves us with this simple and safe vulnerability test:
http://www.routerlogin.net/cgi-bin/;uname$IFS-a
As noted earlier, this test has to be run from a LAN-side device and it tests the router fronting the LAN. You can not use this to test your parents' router without visiting Mom and Dad (or remotely controlling one of their computers).
Better yet, Mr. van Schaik offers the first work-around for the problem. His idea is quite clever, use the bug to disable the vulnerable software. In this case, the vulnerable software is the web interface of the router, and this command kills it:
http://www.routerlogin.net/cgi-bin/;killall$IFS'httpd'
Commenters at Ars have pointed out that the quotes around "httpd" must be straight rather than slanted for this to work. You should be able to verify that this worked, with
http://www.routerlogin.net
If this prompts for a userid/password and lets you login, then the web interface is still running. Should you later need the web interface, then simply power cycle the router.
Whew.
- - - - - - -
UPDATE December 12, 2016 9AM ET
Netgear is looking into this. They have not yet confirmed the vulnerable models. See Security Advisory for VU 582384 which is listed on their main security page.
According to Steve Ragan, the flaw was discovered by Andrew Rollins (a.k.a. Acew0rm1 on Twitter).
- - - - - - - -
UPDATE December 12, 2016 Noon ET
I took my own advice and registered for the Netgear Security Advisory Newsletter a couple days ago. Today, when they issued a new advisory, I did not get an email from Netgear.
- - - - - - - -
UPDATE December 12, 2016 10PM ET
Sander Smith of Sericon Technology questions the validity of the previously published vulnerability tests. He told me, via email, that using a browser and seeing if it 404s or returns something is flawed. He has tested devices that don't return a 404 Page Not Found, but instead try to do something meaningful. And, when the problem is being exploited, he says that vulnerable Netgear devices do not speak true HTTP. That is, there are no HTTP headers, status code, etc. Because of this, some browsers may "act funky when interacting with it".
To address this, he added a Netgear vulnerability check to his Android RouterCheck app. See his blog for more: Test Your Router for the Netgear Vulnerability with RouterCheck.
- - - - - - - - - - -
UPDATE December 13, 2016 10AM ET
The Netgear Security Advisory for VU 582384 has been updated with a list of models that are confirmed to be vulnerable: R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000.
In addition, they said "NETGEAR is continuing to review our entire portfolio for other routers that might be affected by this vulnerability. If any other routers are affected by the same security vulnerability, we plan to release firmware to fix those as well." So, none of the routers will be treated as End-of-Life. Good news.
As expected, Netgear is working on new firmware. What was not expected, is that they have released beta firmware that is available now for the R6400, R7000 and the R8000. Download links are in the advisory.
- - - - - - - - - - - -
UPDATE December 13, 2016 1PM ET
More beta firmware from Netgear (see their advisory). Current list is: R6250, R6400, R6700, R7000 and R8000. And: "... beta firmware versions for the remaining models are being worked on and will be released as soon as possible, some as early as Tuesday, December 13th."
- - - - - - - - -
UPDATE December 13, 2016 3PM
Light bulb just flashed in my head. Here's a new way to defend a vulnerable Netgear router.
Change the port number used for local administration.
Duh. While bad guys can learn the LAN side IP address of a router, they can not learn the port number it is listening on. For example, if the router is listening on port 9999, then
http://1.2.3.4/cgi-bin/;reboot
does nothing as its talking to port 80. To reboot, you would have to do
http://1.2.3.4:9999/cgi-bin/;reboot
I suggest picking a port number between 3,000 and 32,000. They can go up to 65,000 and change. I don't have a Nighthawk router, so I can't confirm that they allow nerds like me to change the local administration port number. My favorite router, Peplink Surf SOHO supports this and I do it all the time.
Twitter user @Acew0rm1, who found the flaw to begin with, reminded me on Twitter that, just like changing the router LAN side IP address, bad guys can brute force looking for the port number the router is listening on. But, since so few people change the port, its a reasonably good defense, for the time being.
8PM: Someone with a Netgear R6400 tells me that you can not change the port used for local administrative access. Insecure by design.
- - - - - -
UPDATE December 13, 2016 4PM ET
Heise has the best vulnerability test so far, a simple echo command - and a screen shot of exactly what to expect on a vulnerable Netgear router. In German though.
- - - -
UPDATE Tuesday December 13, 2016 11 PM ET
Another potential work-around from a Twitter user: a Guest network. Maybe, the Netgear guest networks block access to the router's web interface. Maybe. I do this all the time on the Peplink Surf SOHO, but it's a big step up from consumer routers.
- - - - - -
UPDATE Wednesday December 14, 2016 3 PM ET
FYI: Some people run DD-WRT firmware on Netgear routers. This vulnerability is in Netgear firmware, so alternate firmware, such as DD-WRT, is safe. But, to be sure, it can't hurt to run one of the tests cited above.
And, now that Netgear has released beta firmware for all the vulnerable router models, I have still not been emailed anything by the company, despite subscribing to their vulnerability mailing list.
- - - - - - - -
UPDATE Friday December 16, 9PM ET
Netgear has started releasing production (no longer beta) firmware. To date, only for the R6400, R7000 and R8000. They have changed their opinion of the D7000. Initially thought to be vulnerable to this attack, they now consider it safe. Netgear now considers 11 routers vulnerable to this flaw.
And, apparently the beta firmware was not fully baked. The security advisory now says "If you do not upgrade your firmware to the production version, the potential for this command injection vulnerability remains."
On another note, David Gerwirtz of ZDNet just wrote an interesting article, Sacrificing router flexibility for security with Google Wifi and OnHub, that makes a case for Google Wifi routers based on security rather than Wi-Fi range. The article ends with
Unlike with the Netgear, it's unlikely you'll wake up one Monday morning to an announcement from CERT telling you to throw out your Google Wifi because it's been p0wn3d. That, alone, justifies my recommendation.
Not to pick on Netgear, but this vulnerability really illustrates the importance of routers that can self-update. Especially, when owned by non-techies.
----------------------------------------------------
FEEDBACK
Now that Computerworld, and all of parent company IDG's websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput.