Hackers exploit serious unpatched Netgear router DNS vulnerability
Netgear is yet to patch a publicized vulnerability that affects its routers. The security hole, which is described as 'serious', has already been exploited but Netgear is yet to act. The exploit allows attackers to change the affected routers' DNS settings and it is estimated that over 10,000 routers have already been attacked.
Netgear had been informed of the vulnerability by two security companies, but is still to release a firmware update to plug the hole. The exploit was privately revealed back in July by Swiss company Compass Security, but separately discovered and publicly published by researchers at Shellshock Labs in September who explain that it allows for "full remote unauthenticated root access" of routers.
Shellshock adds the caveat that WAN administration must be enabled for the vulnerability to be exploitable. It affects the N300_220.127.116.11_1.0.1.img, and N300-18.104.22.168_1.0.1.img firmware, (used in multiple routers, including the WNR1000v4) and enables an attacker to gain router access without requiring a password. Compass Security's advisory notice about the vulnerability shows that Netgear was notified of the problem on 21 July, but has still to release a fix.
The advisory reveals just how simple it is to exploit the vulnerability:
The attacker can exploit the issue by using a browser or writing a simple exploit.
- When a user wants to access the web interface, a http basic authentication login process is initiated
- If he does not know the username and password he gets redirected to the 401_access_denied.htm file
- An attacker now has to call the URL http://<ROUTER-IP>/BRS_netgear_success.html multiple times
After that if he can access the administration web interface and there is no username/password prompt.
Bizarrely, Netgear gave Compass Security access to a beta version of firmware which, when tested, was found to fix the security issue. This was way back at the beginning of September, but the company has not indicated when -- or if -- there will be a public release.
Talking to Threatpost Alexandre Herzog, CTO of Compass Security said that it had been possible to connect to the servers involved in the attacks and download data that suggested that more than 10,000 routers had already been exploited. This figure is slightly at odds with a report from the BBC which has Netgear claiming the figure is under 5,000.