Security

Microsoft warns of serious vulnerabilities in Netgear's DGN2200v1 router

Gadget capable of 'opening the gates for attackers to roam untethered through an entire organisation'


Netgear has patched serious security vulnerabilities in its DGN2200v1 network router, following the discovery of "very odd behaviour" by a Microsoft security research team - a somewhat understated way of saying that attackers can gain "complete control over the router."

Unveiled by the company at the Consumer Electronics Show back in 2010, Netgear's DGN2200 is an ADSL modem-router combo box with, the company promised at the time, security features including "live parental controls, firewall protection, denial-of-service (DoS) attack prevention, [and] intrusion detection and prevention (IDS)."

Sadly, one thing didn't make the list: functional authentication. As a result, it's possible for remote attackers to take over the router at any time - as discovered by members of the Microsoft 365 Defender Research Team.

"We discovered the vulnerabilities while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint," the research team said. "We noticed a very odd behaviour: a device owned by a non-IT personnel was trying to access a NETGEAR DGN2200v1 router's management port.

"The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario."

The answer, it turns out, is yes - and how. The three core vulnerabilities discovered by Microsoft, rated high-to-critical severity with CVSS scores ranging from 7.1 to 9.4, have been described in no lesser terms than "opening the gates for attackers to roam untethered through an entire organisation."

The core issue behind the vulnerabilities is an authentication bypass flaw, the result of sloppy coding which makes it possible to access any resource on the router simply by including a substring in an HTTP GET request.

Once exploited, further vulnerabilities allow for security credentials - both those for the router and those for its WAN-side network connection - to be retrieved.

This isn't the first time Netgear has been caught with its security pants down, either - nor even the first this year. Back in March the NCC Group warned of 15 serious vulnerabilities in the Netgear JGS516PE Ethernet switch, its devices were implicated as being vulnerable to the DNSpooq attack, and in February SonicWall fingered the DGN1000 and DGN2200 as under active attack from vulnerabilities very similar to those discovered by Microsoft - the patch for which apparently failed to take.

"Third-party routers are often the way to go to own more control, but it doesn’t always mean they are bulletproof," Jake Moore, cybersecurity expert at ESET UK, told The Register.

"Although it would be worst-case scenario that any connected devices were to be attacked, this highlights that people must stay alert to such threats and to keep on top of patching all devices. And, of course, it is recommended to download and update to the latest firmware for this Netgear router to protect your network."

More details on the vulnerabilities are available on the Microsoft blog, while instructions on upgrading the firmware to the fixed v1.0.0.60 release are on the Netgear website.

Netgear, which in its partial defence has voluntarily patched the issues and released a firmware update for what is now an 11-year-old product, was approached for comment. ®

Send us news
13 Comments

Head of Big Tech Expertise? Believe it or not, it's a UK.gov vacancy for a Whitehall job

What happened to loosening stranglehold of major tech firms on the public sector?

UK government is on the hunt for an expert to help shape relations with the likes of AWS, Microsoft and Google, a role that includes a remit to "fulfil partnership opportunities" with the megacorps and "deliver against their needs and demands."

The Head of Big Tech Expertise role is based within the Digital and Tech Policy Directorate of the Department of Culture, Media and Sport (DCMS) - the “heart of the Government’s strategic policy-making and industry engagement on all things relating to tech and digital”.

"Are you interested in the way Big Tech shapes other UK economy and society? Do you want to work with the most powerful technology companies in the world (sic)," the job ad asks.

Continue reading

IR35 is the biggest threat to the contractor working model, survey finds

Brexit, COVID-19 and tax rises all eclipsed by the omnipresent rule change, study of contractors finds

The majority of contractors see the IR35 changes to the way employment status is judged as the biggest threat to their business in 2022, according to recent research.

A survey of more than 1,200 contractors by IR35 insurance provider Qdos shows that 61 per cent see the rule changes as the "biggest threat" to the contracting business model, which is said to be worth more than £300bn annually to the economy, according to the IPSE, the contractors, consultants and interims association.

Qdos found this was more than 10 times the number of contractors most concerned about the impact of coronavirus (6 per cent) or Brexit (6 per cent). Incoming dividend tax increases (18 per cent) were earmarked as the second biggest threat, although only a third of folk surveyed were concerned about those changes.

Continue reading

Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k

Now you see a harmless PNG. Now it's a malicious payload. Look into my eyes

A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams.

Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting (UXSS) bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

Pickren told El Reg the flaw granted "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So it does allow me to fully perform an account takeover on every website you visited in Safari."

Continue reading

Google dumps interest-based ad system for another interest-based ad system

For FLoC's sake, people

Google has given up on Federated Learning of Cohorts (FLoC), a categorization system for serving interest-based ads, and replaced it with Topics, a categorization system for serving interest-based ads.

Caught between the push to do something about cookie-based tracking and the counter-revolution to get regulators to keep third-party cookies alive, the Chocolate Factory has proposed a revision of its ill-fated FLoC plan.

"With Topics, your browser determines a handful of topics, like 'Fitness' or 'Travel & Transportation,' that represent your top interests for that week based on your browsing history," explained Vinay Goel, product director for Google's Privacy Sandbox, in a blog post on Tuesday.

Continue reading

Watchdog clears 90 per cent of US commercial aircraft to land in low visibility at nation's 5G C-band airports

Don't start celebrating just yet if you own a Boeing 747-8, 747-8F, 777

Nine out of ten of America's commercial aircraft can land in low visibility using radio altimeters at US airports that have nearby 5G C-band masts, the country's aviation watchdog said this week.

There is some concern that signals at the top of the 5G C-band, namely 3.98GHz, could bleed into the 4.2-4.4GHz band used by airliners' radio altimeters, which are quite handy when visibility is poor. The presence of 5G-C masts could thus affect the ability of aircraft to land safely in sub-optimal weather, it's been claimed.

AT&T and Verizon this month agreed to partially stall the roll out of 5G-C masts in the US – deploying the tech away from airports – while the Federal Aviation Administration (FAA) looked into matter. Specifically, the watchdog has been checking the radio altimeters on commercial aircraft to see if the equipment works as expected within range of 5G-C communications.

Continue reading

Linux distros haunted by Polkit-geist for 12+ years: Bug grants root access to any user

What happens when argc is zero and a SUID program doesn't care? Let's find out!

Linux vendors on Tuesday issued patches for a memory corruption vulnerability in a component called polkit that allows an unprivileged logged-in user to gain full root access on a system in its default configuration.

Security vendor Qualys found the flaw and published details in a coordinated disclosure. 

Polkit, previously known as PolicyKit, is a tool for setting up policies governing how unprivileged processes interact with privileged ones. The vulnerability resides within polkit's pkexec, a SUID-root program that's installed by default on all major Linux distributions. Designated CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8.

Continue reading

Now that's wafer thin: Some manufacturers had less than five days of chip supplies, says Uncle Sam

Components fabbed using 40nm-plus process nodes hit hard

Hardware manufacturers hit hardest by the global semiconductor shortage had less than five days of chips in their inventories last year – and should expect supply chain issues to continue throughout 2022 – the US Department of Commerce said this week.

Demand for semiconductors skyrocketed during the pandemic as folks purchased more PCs, laptops, and tablets to work or learn from home, and cloud giants scaled up their backend systems to cope. Supply, however, couldn't keep up. The median inventory of semiconductor buyers in 2019 was 40 days of supply. By 2021 that figure was down to less than five days for certain key US sectors, the department said in a report, while demand was up 17 per cent.

Production was initially slowed at factories around the world due to shelter-at-home orders as the coronavirus pandemic took hold. Some facilities had to temporarily shut down after they were hit with natural disasters, such as fires and snowstorms. But between Q2 2020 and the end of 2021 fabs were operating at over 90 per cent capacity and still couldn't meet global demand.

Continue reading

Baidu's AI predictions for 2022: Autonomous driving! Quantum computing! Space! Human-machine symbiosis!

Did a computer program tell them to write this?

Baidu Research's AI-centric "Top 10 Tech Trends in 2022" report has outlined the Middle Kingdom megacorp's predictions for technology over the coming year.

Baidu CTO Haifeng Wang describes AI as a "key driving force of innovation and development," thanks to rapidly evolving core technologies, cross-domain connectivity, and expanding applications.

It's no surprise that the list focuses on AI given Baidu's business domain. The Beijing-based company's search engine captures over 70 per cent of the Chinese market while also developing other products, particularly AI research and cloud computing. The research arm takes a deeper look at its associated technologies. Think Google but Chinese.

Continue reading

Nvidia reportedly prepares for un-Arm'd fight with rivals: $40bn takeover may be abandoned

Softbank, meanwhile, remains 'hopeful' it can offload Brit chip designer

Nvidia is quietly preparing to give up on the purchase of Arm, according to Bloomberg, after repeatedly butting heads with competition regulators amid a wave of opposition from the tech industry.

A report by the newswire states Nvidia privately told its partners it does not expect the Arm transaction to close. The report also claims Arm's current owner SoftBank is pressing ahead with an IPO of Arm.

The $40bn bid Nvidia lodged for Arm in September 2020 has proved controversial: Arm licences its chip designs to multiple clients and some felt that buying the company will give Nvidia the power to stifle competition.

Continue reading

Machine needs more Learning: Google Drive dings single-digit files for copyright infringement

If you're unable to share your files, this is probably why

Google last month announced plans to prevent customer files stored in Google Drive from being shared when the web giant's automated scanning system finds files that violate its abuse prevention rules.

"When [a file is] restricted, you may see a flag next to the filename, you won't be able to share it, and your file will no longer be publicly accessible, even to people who have the link," Google explained at the time.

That system is now up and running, just not very well: Google Drive's scanning system has been finding copyright violations where they do not exist and flagging innocuous files.

Continue reading

22-year-old Brit avoids US extradition over SIM-swapping conspiracy after judge deems him to be high suicide risk

Accused said to have suffered mental health problems from childhood

A Brit accused of taking part in a $8.5m SIM-swapping conspiracy has escaped extradition to the US after a judge agreed he was at high risk of suicide.

Corey De Rose walked free from Westminster Magistrates' Court after experts said long-standing mental health disorders and a history of self-harm and suicide attempts meant De Rose was likely to kill himself if extradited.

"This was not a case where the [requested person's] mental condition had only arisen after his arrest on the extradition request, as is often the case," observed District Judge Sarah-Jane Griffiths, handing down judgment [PDF] on Monday.

Continue reading