Netgear moves to plug vulnerability in routers after researchers find zero-day

Written by

A newly discovered software vulnerability could allow hackers to remotely exploit home internet routers, offering a foothold for breaking into the devices running on those networks.

Researchers say the flaw in routers made by Netgear — revealed this week by cybersecurity company GRIMM and Trend Micro’s Zero Day Initiative (ZDI) — underscores the long-running challenge of improving security in a market that prizes affordable and functional networking equipment. Netgear told CyberScoop on Wednesday that it was close to releasing a patch for the vulnerability.

The flaw affects how Netgear devices handle incoming data and could let hackers, under certain conditions, bypass the router’s authentication process using a software exploit. The router could then be a pathway to other devices, such as a laptop housing sensitive work information. (Breaking into the laptop would likely require an additional exploit.)

The findings show how the potential impact of a bug can grow as investigations proceed. Researchers initially singled out two versions of Netgear routers as vulnerable. But Adam Nichols, GRIMM’s principal of software security, said his team found a vulnerable copy of a web server on the router in 79 different Netgear devices. The bug, they say, affects version of Netgear firmware dating to 2007.

“While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind,” Nichols wrote in a blog discussing the vulnerability.

‘A perfect storm’

The surge in telework during the coronavirus pandemic has meant more business data stored on home networks, raising the stakes for the security of those networks.

“With the increased number of people working from home during the pandemic, the wide number of models containing this vulnerability and the lack of exploit mitigations in this vendor’s products have come together in a perfect storm,” Nichols told CyberScoop.

Sandeep Harpalani, vice president of product management at Netgear, said the vendor was preparing to release a patch as well as an advisory on what customers can do to protect themselves. The advisory could come later Wednesday, but the patch has taken longer than expected because of the pandemic, he said.

“It is a top priority, it’s just with the current situation in terms of COVID-19 … it has impacted us, just as it’s impacted everybody else,” Harpalani said. “Debugging has taken much longer than what we would typically expect, but we are still pretty close [to releasing a patch].”

A malicious attacker would first need to gain access to the router to exploit it, Harpalani said, adding that there have been no reports of malicious exploitation.

But Nichols said that in some cases, a hacker wouldn’t need to be on a WiFi network to launch an attack. “Instead, they can serve malicious javascript that causes the user’s browser to launch the attack,” he said.

ZDI researchers say they reported the bug to Netgear in January. They held off for weeks on publishing their analysis so that Netgear could address the issue.  After Netgear requested multiple extensions for releasing a fix, ZDI published their findings on Monday to raise awareness of the bug.

Netgear is not the only router vendor whose code researchers are poring over during the pandemic. Last week, security company Palo Alto Networks revealed six vulnerabilities in routers made by Taiwanese manufacturing D-Link that could allowed hackers to steal passwords and other sensitive data. D-Link issued a patch for the bugs.