Netgear WNR3500Lv2

Netgear has issued patches that resolve a simple bug in the firmware of 20 different router models that allow an attacker to expose the router's web panel admin password, which they can use to take over the device.

Hijacked routers can easily be added to IoT botnets and used in DDoS attacks against any type of target, as it happened at the end of 2016 with routers made by Speedport, Eir, D-Link, and Zyxel.

20 out of 31 Netgear routers received patches

According to Trustwave security researcher Simon Kenin, the one who discovered the bug, 31 Netgear router models are affected.

Kenin found the flaw in April 2016 and had worked with Netgear for months to identify and fix all affected router models.

According to a security advisory issued by Netgear, the following router models have received firmware updates.

    R8500
    R8300
    R7000
    R6400
    R7300DST
    R7100LG
    R6300v2
    WNDR3400v3
    WNR3500Lv2
    R6250
    R6700
    R6900
    R8000
    R7900
    WNDR4500v2
    R6200v2
    WNDR3400v2
    D6220
    D6400
    C6300

The hardware vendor is still in the process of issuing patches for the rest of the 11 router models, whose names have not been made public to avoid attempts from attackers to exploit and hijacked customer devices.

Exploit code available online

Public exploit code [1, 2] has been available online since as early as 2014, but no one knew that with small modifications, the code could be adapted to target even more router models.

According to a technical blog post explaining the bug [CVE-2017-5521], an attacker can send a request to the passwordrecovered.cgi file of any Netgear router's web-based admin panel and the device will respond with the admin password in cleartext.

Hundreds of thousands of routers are vulnerable

Kenin says that over 10,000 Netgear routers are currently connected online with their web-based administration panel exposed, but hundreds of thousands more are sitting dormant on local networks.

These routers, too, can be hijacked, if the attacker manages to launch the attack from a machine on the local network.

While this could mean infecting a computer and using it as a pivot point, there are other ways to attack routers in isolated networks, such as hiding exploits in JavaScript code delivered through malvertising.

Last month, the US Computer Emergency Readiness Team (CERT) warned users against using Netgear R6400 and R7000 routers, which were at the time, affected by a similarly dangerous security flaw. Since then, Netgear has launched a bug bounty program to tackle security issues faster.