This article is more than 1 year old
Wish you could log into someone's Netgear box without a password? Summon a &genie=1
Get patching – there's this auth bypass and loads of other bugs
If you're using a Netgear router at home, it's time to get patching. The networking hardware maker has just released a tsunami of patches for a couple of dozen models of its kit.
The flaws were found by Martin Rakhmanov at infosec shop Trustwave, which has spent over a year hunting down programming gremlins in Netgear's firmware.
Software updates to address these uncovered vulnerabilities have now been released – you should ensure they are installed as soon as you can before scumbags and botnets start exploiting them to hijack broadband gateways and wireless points. Instructions on how to apply the fixes are included in the linked-to advisories.
Some 17 Netgear routers have a remote authentication bypass. This means malware or miscreants that are on your network, or anyone else able to reach the device's web-based configuration interface, can gain control without having to provide a password. Just stick
&genie=1 in the URL, and bingo.
That's pretty bad news for any vulnerable gateways with remote configuration access enabled, as anyone on the internet can exploit the cockup to take over the router, change its DNS settings, redirect browsers to malicious sites, and so on.
Another 17 Netgear routers – with some crossover with the above issue – have a similar bug, in that the
genie_restoring.cgi script, provided by the box's built-in web server, can be abused to extract files and passwords from its filesystem in flash storage – it can even be used to pull files from USB sticks plugged into the router.
Other models have less severe problems that still need patching just in case. For example, after pressing the Wi-Fi Protected Setup button, six of Netgear's routers open up a two-minute window during which an attacker can potentially execute arbitrary code on the router as root over the air.
"Trustwave SpiderLabs has worked with Netgear through our responsible disclosure process to make sure that these vulnerabilities are addressed," Trustwave's Rakhmanov said.
"We'd also like to thank Netgear for their responsive and communicative product security incident response team. It's obvious that their participation in bug bounties has helped them improve their internal process for addressing issues like these." ®