Nasty unpatched vulnerability exposes Netgear routers to easy hacking

[jagdtigger]

Quote

Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400 and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500 and R9000.

Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/cgi-bin/;uname$IFS-a . If this shows any information other than a error or a blank page, the router is likely affected.

In some cases, replacing the IP address with www.routerlogin.net or www.routerlogin.com might also work, because Netgear routers resolve these domains names to their own local IP address.

Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers don’t have their management interfaces exposed to the Internet.

 

CSRF attacks hijack users’ browsers when visiting specifically crafted webpages and send unauthorized requests through them. This makes it possible for a malicious website to force a user’s browser to exploit the router over the LAN.

CERT/CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the router’s web server and prevent future attacks. This can be done with the following command: http://[router_IP_address]/cgi-bin/;killall$IFS’httpd’

Article:

http://www.pcworld.com/article/3149554/security/an-unpatched-vulnerability-exposes-netgear-routers-to-hacking.html

 

Security Advisory page for this "hole":

http://kb.netgear.com/000036386/CVE-2016-582384

 

 

Well this is one gigantic hole thats for sure. I didnt expected netgear to make a huge mistake like this, well at least they handling it properly. Hopefully if the users flash the new patched FW it will be able to clean out any tampering that was done through this hole(if there was any).

[rattacko123]

luckily my netgear router (DGND3700v2) doesn't have this vulnerability
Shame the newer models have it tho  

[tlink]

not really surprising really, consumer routers have shit security in general. they are made to hold up a facade of stability and security, but thats about it. i bet they still come with wps pin too even though that was unsafe as soon as it was invented.

[zMeul]

few of NetGear's routers can be flashed to Tomato Shibby firmware, including the R7000 and R8000

http://tomato.groov.pl/?page_id=69

[SCHISCHKA]

34 minutes ago, tlink said:

not really surprising really, consumer routers have shit security in general. they are made to hold up a facade of stability and security, but thats about it. i bet they still come with wps pin too even though that was unsafe as soon as it was invented.

Its down to the ISP and how much control they have over the hardware they ship. Im on a 4G plan and AFAIK I have no choice but to use my ISPs hardware. I can turn off the wifi, run my own wifi and put a firewall between myself and the modem but my ISP still provides the firmware for my modem (hardware I paid for). Should we get a GNU modem movement going? that was addressed with GNUv3 but torvalds said na fuck ya were making good money off v2.

[tlink]

2 minutes ago, SCHISCHKA said:

Its down to the ISP and how much control they have over the hardware they ship. Im on a 4G plan and AFAIK I have no choice but to use my ISPs hardware. I can turn off the wifi, run my own wifi and put a firewall between myself and the modem but my ISP still provides the firmware for my modem (hardware I paid for). Should we get a GNU modem movement going? that was addressed with GNUv3 but torvalds said na fuck ya were making good money off v2.

[SCHISCHKA]

1 minute ago, tlink said:

i think that finger was for nvidia. funny coz Nvidia was first to partner with ubuntu and steam. mans got engineering problems, not man problems, engineering problems

[sazrocks]

The kill command doesn't work it just keeps restarting the http server every time you try to access it.

[FreeDiver]

This is what I get when I put http://[router_ip_address]/cgi-bin/;uname$IFS-a into a broswer.

Spoiler

Edit: I'm using the r7000

[mynameisjuan]

7 hours ago, SCHISCHKA said:

Its down to the ISP and how much control they have over the hardware they ship. Im on a 4G plan and AFAIK I have no choice but to use my ISPs hardware. I can turn off the wifi, run my own wifi and put a firewall between myself and the modem but my ISP still provides the firmware for my modem (hardware I paid for). Should we get a GNU modem movement going? that was addressed with GNUv3 but torvalds said na fuck ya were making good money off v2.

As someone who is a tech at an ISP I can confirm this. I mean you can provide your own router, but the modems are still shit and are a bigger security hole than the router. They get updated maybe twice in their lifetime and are used until they die. And this is for many ISPs. There are a few good brands out there for commercial deployment but as someone who sees things from the inside, if you can get your own equipment and if your ISP lets you then do it! We have moved to an open sourced modem and are seeing a huge improvement in reliability and most importantly security as the modem gets update almost every two weeks and are updated from the modem level.

[DrMikeNZ]

I have been very unhappy with my R8000, it has been incredibly unstable crashing regularly requiring powering off to cool down for 30 minutes at least once a month (I considered water cooling it).

 

This is just another nail in its coffin.

[SpaceGhostC2C]

8 hours ago, SCHISCHKA said:

Its down to the ISP and how much control they have over the hardware they ship. Im on a 4G plan and AFAIK I have no choice but to use my ISPs hardware. I can turn off the wifi, run my own wifi and put a firewall between myself and the modem but my ISP still provides the firmware for my modem (hardware I paid for). Should we get a GNU modem movement going? that was addressed with GNUv3 but torvalds said na fuck ya were making good money off v2.

Lucky you. MY ISP's modem/router has a non-default password they didn't give me. It's built-in wifi is useless, so I hooked an older router to act as hotspot (nothing fancy, but I guess antenna vs no antenna makes a difference... ), but I cannot switch the modem's wifi off. It's just keeps irradiating for no reason, adding noise inside my house, with parameters I cannot modify: it's a vulnerability (someone could use my connection by guessing the -default!- wifi password) with no benefits (I don't actually use it). My only consolation is that its coverage is so bad that no one will be able to connect from the outside  

[PocketNerd]

Are there even any commercial modems that ISPs would let you use?

[mynameisjuan]

1 minute ago, PocketNerd said:

Are there even any commercial modems that ISPs would let you use?

We accept any commercial modem as long as we are able to configure it. Also if its on fiber you dont need a modem as the ONT will talk to the router directly. ONT is on a private network and managed so it about the best security you will get. 

[jagdtigger]

1 minute ago, mynameisjuan said:

We accept any commercial modem as long as we are able to configure it. Also if its on fiber you dont need a modem as the ONT will talk to the router directly. ONT is on a private network and managed so it about the best security you will get. 

CGN is a very bad idea IMHO...

[mynameisjuan]

36 minutes ago, jagdtigger said:

CGN is a very bad idea IMHO...

But its not a CGN....by private network I mean access to the optical hardware. Basically taking the modem out of the equation and one less security hole.

[jagdtigger]

6 minutes ago, mynameisjuan said:

But its not a CGN....by private network I mean access to the optical hardware. Basically taking the modem out of the equation and one less security hole.

Oh, sorry. In my country if the ISP says private address then they mean CGN... (i mean come on, this wont help with the IPv4 address shortage in the long run)

 

34 minutes ago, Arokhantos said:

 

Why are you even using it still if its giving you such bad experience.

If the overheating is the only problem then there is no need to toss it out, just mod it and its good to go .

[jagdtigger]

7 minutes ago, Arokhantos said:

 

Thats like saying if explosionss are only problem there no need to replace note 7.

Its not the same thing you know... You cant fix severe design issues(like in case of note7) in DIY, on the other hand fixing some heat sinking issue on a router is a pretty easy task .

[DrMikeNZ]

10 hours ago, Arokhantos said:

Why are you even using it still if its giving you such bad experience.

To be fair, even though it is terrible, I have yet to find a router that didn't have serious issues, it is notably better than what I had previously.

I haven't budgeted a network upgrade for another 2 years, and the shop won't accept warranty claims on the basis that it has intermittent issues.

[ionbasa]

19 hours ago, SCHISCHKA said:

Its down to the ISP and how much control they have over the hardware they ship. Im on a 4G plan and AFAIK I have no choice but to use my ISPs hardware. I can turn off the wifi, run my own wifi and put a firewall between myself and the modem but my ISP still provides the firmware for my modem (hardware I paid for). Should we get a GNU modem movement going? that was addressed with GNUv3 but torvalds said na fuck ya were making good money off v2.

Never going to happen. There's a reason only ISPs can push firmware to the modem. The firmware they push specifies each modems config file for their respective upload and download speeds, provisioning, which channels to use, and possibly which channels get bonded together.

 

You can actually flash you're own modem firmware with JTAG and some knowhow and even spoof your own config file, but you'll likely get caught. and you'll be blacklisted by ISPs.

 

Secondly, on cable modems at least, the firmware can only be pushed on the WAN side of the connection. Its part of the DOCSIS spec, and its there for a reason. To prevent malicious people from doing bad things, you know, like packet sniffing on a cable node, or hell all the connection to a CMTS.

 

TL;DR: You have no reason to mess with the modem firmware, nor should you need to. The firmware has already been built like a tank with virtually no vulnerabilities. When there are issues found, the likes of Motorolla/Arris push out new firmware on a dime.

[jagdtigger]

2 hours ago, ionbasa said:

TL;DR: You have no reason to mess with the modem firmware, nor should you need to. The firmware has already been built like a tank with virtually no vulnerabilities. When there are issues found, the likes of Motorolla/Arris push out new firmware on a dime.

 

[ionbasa]

9 hours ago, jagdtigger said:

 

A configuration error on the ISPs fault. @26:24 mark: He clearly says its the ISPs fault for not doing their homework. The firmware on the modem is still secure. So my statement remains, the firmware is secure. Neglect and mismanagement by the ISP is a security issue, not a firmware vulnerability issue.