Netgear routers vulnerable to Mirai-style malware

Add Netgear routers to CCTV DVRs and routers from TalkTalk, Kcom, Home Telecom and Post Office Telecom on the Mirai risk list

Netgear routers are vulnerable to Mirai-style malware, warn researchers, due to a number of security flaws. The routers could therefore be compromised, taken over, and used in distributed denial of service (DDoS) attacks.

The finding comes after routers belonging to TalkTalk, Kcom, Home Telecom and Post Office Telecom were taken over in Mirai-style attacks late last year.

Simon Kenin, security researcher at Trustwave, said he uncovered the issue when attempting to discover his router password without

He had some limited success, until the router rebooted on its own. He was able to come away with a couple of intriguing snatches of information from the experience that he felt deserved more attention. One of them was a peach.

"I started looking up what [an] "unauth.cgi" page could be, and I found 2 publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need," he said.

Kenin then checked another Netgear router that he had and checked to see if the vulnerability worked on that too, and it did.

"I started asking people I knew if they have Netgear equipment so I could test further to see the scope of the issue. In order to make life easier for non-technical people I wrote a python script called netgore, similar to wnroast, to test for this issue," he added.

"As it turned out, I had an error in my code where it didn't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead, but somehow it still managed to get the credentials… I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven't seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models."

Trustwave told Netgear about this in April 2016, informing the company that it has picked up the problem on 16 models. A patch was issued in June, but Trustwave found it lacking, telling Netgear that its tests found that the issue still applied on some models.

It contacted the firm asking for an explanation and then sat about taking deep breaths and getting ready to do a responsible disclosure on this. In the end, Netgear did something that appeased the firm, and we have something of an awkward happy ever after ending.

"Luckily Netgear did eventually get back to us right before we were set to disclose these vulnerabilities publicly. We were a little sceptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose to Netgear only to be met with frustration," he said.

"Two changes helped sway our opinion. The first was that Netgear committed to pushing out firmware to the currently unpatched models on an aggressive timeline. The second change made us more confident that Netgear was not just serious about patching these vulnerabilities, but serious about changing how they handle third-party disclosure in general."

This should be the end, but there is a twist in the tale. Kenin reckons that if you extrapolate the issue and create nightmare figures and a very significant threat.

"We have found more than ten thousand vulnerable devices that are remotely accessible. The real number of affected devices is probably in the hundreds of thousands, if not over a million," adds Kenin in his blog.

"Anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public wifi spaces like cafés and libraries using vulnerable equipment. As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password."