Your Netgear router may expose your password if you don’t update its firmware

Netgear acknowledges router vulnerability, urges firmware updates

Netgear Nighthawk AC2600 router
Bill Roberson/Digital Trends
The security of internet infrastructure devices like routers and wireless access points, along with all kinds of devices that connect through them, has been of particular concern lately. Recent distributed denial of service (DDoS) attacks have originated in Internet of Things (IoT) devices, for example, and a slowdown in such issues doesn’t seem imminent.

Although Netgear recently released firmware updates to resolve a malicious link exploit in its line of internet routers, yet another issue remains to be tackled. This time around, it’s a vulnerability that can expose the administrator password in certain Netgear routers, as Tom’s Hardware reports.

According to security firm Trustwave, Netgear routers have actually suffered from a couple of security vulnerabilities since April 2016. Although Netgear was contacted by Trustwave on a number of occasions during the ensuing nine months, Netgear didn’t provide a direct response although it did eventually issue a security bulletin covering the issue.

As researcher Simon Kenin indicated on the Trustwave blog Monday, the vulnerability is simple enough that even someone with limited programming skills can exploit it. Kenin describes the bugs as such: “After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is   a totally new bug that I haven’t seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models.”

The two bugs require either physical access to a router or remote access to be turned on. According to Trustwave’s analysis, at least 10,000, and likely hundreds of thousands or even millions of devices, are potentially vulnerable. For Netgear’s part, the company did issue an advisory in June, along with a workaround for the issue, and has since released firmware updates to resolve it.

Netgear subsequently reached out to us with a statement on the issue. Here it is in its entirety:

“NETGEAR is aware of the vulnerability (CVE-2017-5521), that has been recently publicized by TrustWave. This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability from the time they first contacted us.  After being notified of the vulnerability in April, we released the first batch of fixes in June and prioritized the products based on the greatest number of customers or shipments.  Since that time we have continued to release fixes for the remaining products, most of which are older obsolete products with a smaller install base, although it is important to note that we notified users of workarounds for all affected products contemporaneously with the first batch of fixes in June, so no one would be vulnerable pending the remaining fixes.  NETGEAR has published a knowledge base article from our support page, which lists the affected routers and the available firmware fixes.

Firmware fixes are currently available for the majority of the affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for the model and visit the firmware release page for further instructions. For devices that are still pending final firmware updates, please continue employing the advised work around, which for most users requires no action to be taken.

Please note that this vulnerability occurs only if an attacker has access to the internal network, which requires close physical proximity plus WiFi password access, or when remote management is enabled on the router. Our routers are shipped from the factory with remote management turned off by default and can only be turned on through the advanced settings, so unless you have affirmatively enabled remote management on your router, no further action is required.

NETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitor for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.”

The bottom line, as usual, remains the same: Ensure that your router is fully updated with the latest firmware and that you have turned off all unnecessary features — such as remote access capability — that could open your network up for attack. Conducting research on which internet-connected devices are considered secure should also be added to the list of specifications when making a purchase.

Story originally published in January 2017. Updated on 02-01-2017 by Mark Coppock: Added Netgear statement.

Computing

Your new PC may have shipped with an unsupported version of Windows 10

If you bought or are looking to buy a new Windows laptop or tablet this holiday season, be aware that it could have shipped with an unsupported operating system. The issue is caused by Microsoft pulling its October 2018 Update.
Home Theater

What is MHL, exactly, and how does it work with your TV?

There are more ways to mirror your smartphone or tablet to your TV than you might think. Check out our rundown of MHL for everything you need to know about the wired protocol and its myriad uses.
Deals

The best iRobot Roomba deals to make cleaning your home a breeze

Keep your home clean without lifting a finger using a robot vacuum cleaner. These nine iRobot Roomba deals not only help you keep your home tidy, but many also come with advanced features such as automatic scheduling and Wi-Fi connectivity.
Photography

Get your Sagan on with 60 awe-inspiring photos of the final frontier

Few things instill a sense of wonder quite like the final frontier. The best space photos show off the beauty of Earth, our solar system, and the far corners of the universe. Here are our current favorites.
Computing

Want to use one drive between a Mac and Windows PC? Partitions are your best bet

Compatibility issues between Microsoft Windows and Apple Mac OS X may have diminished sharply over the years, but that doesn't mean they've completely disappeared. Here's how to make an external drive work between both operating systems.
Computing

Microsoft turns on the lights with a new white theme in Windows 10 update

Microsoft is introducing a new light theme in the upcoming version of Windows 10 and is currently beta testing the change with Windows Insiders. The clean-looking theme brings a much-needed facelift to Windows.
Computing

Four Andromeda-related Microsoft patents hint at new ways to use the device

Andromeda might be getting even more real as four Microsoft patents have surfaced recently, all of which hint at possible new use cases and other new configurations for the device. 
Computing

Here's why 64-bit (not 32-bit) dominates modern computing

Today's computing world isn't the same as it once was. With 64-bit processors and operating systems replacing the older 32-bit designs, we look at what 32-bit vs. 64-bit really means for you.
Computing

A Google patent shows a way to make VR even more immersive

Virtual reality can be a really immersive experience, but it does sometimes it does have boundaries. Google has addressed this problem by patenting shoes with a flexible region on the bottom.
Computing

Converting files from MKV to MP4 is quick and easy. Just follow these steps

MKV files have their place, but if you would rather convert your videos from MKV to MP4, there are two methods we consider the best and most efficient for getting it done. In this guide, we'll walk you through them step by step.
Computing

Heal your wrist aches and pains with one of these top ergonomic mice

If you have a growing ache in your wrist, it might be worth considering changing up your mouse for something ergonomic. But which is the best ergonomic mouse for you? One of these could be the ticket to the right purchase for you.
Computing

Our 10 favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.
Deals

All the Best Target Black Friday deals for 2018

The mega-retailer opens its doors to the most competitive shoppers at 6 p.m. on Thursday, November 22, and signs indicate that the retailer means business this year. We've sifted through all of the deals, from consumer electronics to small…
Computing

Windows 10 notifications driving you crazy? Here's how to get them under control

Are the notifications on Windows 10 annoying you? Here's our guide on how to turn off notifications in Windows, and how to manage alerts so that the important stuff still gets through.