Wednesday, December 14, 2016

CERT warns of Netgear NightHawk Router Security Flaw, VU 582384 Vulnerability - Exploit News and Fix

I occasionally write about general computer tech that affects our hobby. Well, I think our broadband Internet connections and routers definitely fall into that category. I will add more details to this post as they become available about this exploit.

CERT: Vulnerability Note VU#582384 - Multiple Netgear routers are vulnerable

Netgear's Response to Acew0rm's discovery (also links to updated firmwares)

Naked Security: Netgear router remote control bug – what you need to know

Kalypto: NetGear Vulnerability Expanded

Affected Routers
As at 2016-12-14 ... Netgear listed the following models: R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7300, R7900, R8000, D6220, D7000. IIRC, all these routers are in the NightHawk series, but watch for this list to possibly change a bit. Don't let this exploit change your opinion of these routers. For consumer-class routers, these are a good value. They are some of the fastest, feature loaded, and most dependable routers available right now (IMO, especially the R6400).

Mainstream News Articles

Wired: A Ton of Popular Netgear Routers Are Exposed—With No Easy Fix

Fortune: Unplug Your Easily Hijacked Netgear Routers Pronto

LifeHacker: More Netgear Routers Found To Be Vulnerable To Super Easy Exploit


My Current Situation
I purchased and installed my Netgear R6400 (AC1750) router in March 2016. An easy choice since I liked my old Netgear WiFi-N router (circa 2010). The (dual-core) Netgear R6400 even has the new NightHawk technology without the extra cost (I did some pre-sales research).

I like to think I use adequate encryption on the WiFi (and Guest Network is OFF). I also use the "wired part" heavily (I also have an 8-port Gigabit Ethernet switch attached). This is because I have a few too many wired devices than the R6400 has ports for, but the R6400 is still the "gate-keeper" for the whole network or LAN. I left the uPnP ON (a first for me, but sure is nice not having to setup Firewall PinHoles or Port-Forwards). I have always kept the "Remote Management" feature OFF. I'm using a DHCP-range to hand-out dynamic IPs (and a few of those IPs are Reserved Addresses) as well as some Fixed IPs beyond that range (for Printers, TVs, etc.). The SPI-class firewall is always ON (because there is no way to accidentally disable it) ... which I like. This SPI Firewall must be on or your network is basically unprotected and completely exposed. All my networking equipment is on an APC UPS unit.

Verifying this Exploit Exists
My current firmware is v1.0.1.6. I used the "Can I test my own router?" exploit test from the Naked Security link above.
I visited this URL in the browser : http://routerlogin.net/cgi-bin/;uname
I got a whole browser page of code (depending on browser, it might look differently in some), but "Linux" is always the last word at the very bottom. That is what they are talking about (the command ran). So with this older firmware, my router definitely has the vulnerability (as expected).

Updating Firmware
These are the steps I followed. I will do this again when final (non-beta) version is released (and continue to keep the firmware updated). Once firmware is "Released as Final" you will be able to upgrade it within the router's Admin Console like normal.
1. Get everyone off the network and the Internet so you can work on it for a few minutes. Better to use a computer connected to network with a real Ethernet wire (not wireless or WiFi).
2. Downloaded updated firmware for my R6400 to my local computer. Unblock file after download.
3a. In router's Admin Console Interface, I backed-up my settings to a local file (just in case - Plan-A).
3b. Save any non-default Router Settings to hard copy (Plan-B). You can write them down, take pics, or save screen-shots.
4. In Advanced, Router Update, Browse to new firmware file and select it. Then click Upload.
5. It will show progress bars of both Updating and its Reboot.
6. Worked fine for me. Router came back online, so I logged back in. The router's Status Page and other settings I viewed still look correct (no loss of data). Logs will be reset. Internet access is working (at least at this one machine).
7. Do not be in a hurry to do next step (you must be absolutely sure firmware is done and router is completely rebooted and working again). Turn off all networking gear (modem, router) for 15 seconds, and then turn back on. This will re-initialize the modem and test broadband for proper new connection negotiation. But mainly, it cold-boots the router now that it's running a new firmware ... this seems to be required on these NightHawk modems after any firmware upgrade.
8. Re-Test machines for network connection, WiFi, printing, Internet access, etc. All mine work fine.

Re-Testing for Exploit (with fixed firmware)
My new current (still in beta) firmware is v1.0.1.18_1.0.15 . Using the above exploit test again, I now only get the router's Admin Login Prompt (waiting for credentials) or a "401 Unauthorized" message in the browser. It could NOT bypass the Admin Login and run a command like before. Looks like the fix is working. All computers and devices are still connecting and Internet access is working fine.

Other Thoughts
As security experts know, any time you choose easy-of-use (or freedoms) over security, you sacrifice some security (protections). In a way, this is what Netgear has done by invoking routerlogin.net (instead of users having to know their router's actual local IP address ... for use on the "safe side" of the router ... aka, their local network). However, since you ARE on the safe-side, I'm not sure that your router's IP address was ever meant to be a true security mechanism.

In general, I have always suggested that router owners (Netgear brand or otherwise) should keep their "Remote Management" options turned OFF. This restricts any router Administration to your local network (and to some extent, possible hacks). Before WiFi, this meant hackers had to be inside the structure with a physical wire connection to your network (but now, they can be next-door with a phone). Everyone should have strong passwords set ... not only on their encrypted WiFi SSID-AccessPoints, but also on their router's Administration Logins.

Finally, I think any router owner (and brand) can use the above URL to test for this exploit. However, if it's not a recent Netgear router, it would be something like http://192.168.1.1/cgi-bin/;uname , where 192.168.1.1 is the IP address of your particular router. Many router manufacturers use the same open-source Linux as a code-base for their routers as well, but its unclear whether the un-patched exploit is in this base-code, or in Netgear's branch.

Updates 
01-17-2017: Looks like R6400's previous beta firmware v1.0.1.18_1.0.15 has been changed to "Release Version Status" without any changes. There is no immediate need to reflash since the files digitally match. At this point, my R6400 is already running the current release version. 

No comments:

Post a Comment

The stupid spammers have now forced me to approve each Comment before it appears (but I am usually pretty quick about it).