Netgear is pushing out a patch for routers affected by a major security flaw that has experts suggesting users...
abandon Netgear routers completely.
The vulnerability is found in the way certain Netgear routers implement web servers and allow an unauthenticated user to inject commands with root privileges, essentially taking over the device and executing arbitrary code.
Travis Smith, senior security research engineer at Tripwire Inc., based in Portland, Ore., said this was a very dangerous flaw.
"Vulnerabilities which allow remote code execution over the internet are more serious than, say, a privilege escalation vulnerability, which only works with physical access to a device," Smith told SearchSecurity. "By having root-level privileges, an attacker could conceivably do anything they wish to the device, including monitoring communications or using the device as a pivot point to attack devices on the internal side of the network."
A hacker named Acew0rm publicly disclosed a proof-of-concept exploit for the issue, which prompted the CERT Software Engineering Institute at Carnegie Mellon University to suggest extreme mitigation methods.
"Enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to leave remote administration disabled, or disable it if it has been enabled previously," the CERT advisory read. "Exploiting these vulnerabilities is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."
Brian Laing, vice president at Lastline, based in Redwood City, Calif., said he would add on to the CERT recommendations.
"We would recommend following the CERT advice, with extra consideration to be given to disabling and replacing the routers," Laing told SearchSecurity. "Given both the lack of vigor in security design and testing, coupled with the lackluster response by Netgear in remediating the major security hole once it was identified, it calls to question the dependability of Netgear as a security-competent vendor altogether."
Netgear's security practices have come under question because Acew0rm claimed to have disclosed the issue to Netgear on Aug. 25 of this year, with no response, and it wasn't until the exploit code was released and the CERT advisory posted that Netgear posted its own advisory and promised a fix. A beta version of the patch was released Tuesday.
Acew0rm claimed the fix would only require "a line or two of code," but Smith said the Netgear security patch wouldn't be so easy to implement.
"Regarding a fix to a critical system, such as a wireless router, it may be trivial to add a line or two of code to fix a vulnerability. The complexity comes in testing the fix to make sure that it not only fixes the vulnerability, but also does not introduce any new ones or break existing functionality," Smith said. "What seems like an easy fix can require downstream code changes, which may necessitate redesigning the entire system."
Laing was disappointed in Netgear's response.
"We can only be left with speculation as to why it would take Netgear this long to address such a critical security hole in a key set of products such as this and with beta code even at the four-month mark," Laing said. "Considering the gravity of the security flaw, this is terribly concerning."
Learn more about remote administration software flaws that plague enterprise.
Find out how to develop a secure use policy for remote administration tools.
Get info on preventing and mitigating router security issues.