Netgear: Authentication Bypass Vulnerability

The Netgear authentication bypass vulnerability was the susceptibility identified on the Netgear devices before version 1.0.0.32 that has incorrect access control. As the ok value of the auth cookie is a exceptional case that allows remote attackers to bypass authentication mechanisms via unspecified vectors. This lets an attacker login to the admin panel with the user of his choice. The user may be the one with the highest privileges or may not exist as well. However, it’s a highly critical vulnerability and needs to be patched swiftly.

Vulnerabilities identified by Microsoft were tracked as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365 by Netgear. The three vulnerabilities in Netgear switches that were discovered by the Polish security researchers are codenamed Demon’s Cries, Draconian Fear, and Seventh Inferno. The first one is the most severe, with the severity rating 9.8 of 10 on the CVSSv3 scale and it’s used to alter the initial authentication and change the admin account password for affected Netgear switches. While the Draconian Fear vulnerability is less severe and it’s exploited to hijack only logged-in admin sessions.

Through this authentication bypass, the crook gains access to services, devices and thus can access protected data without authentication ever having taken place. This being the main security flaw, can also grant the hackers permission to remotely install malware on the Netgear router which compromises internet traffic flowing through local Wi-Fi networks and can ease the process of stealing sensitive information including passwords, bank details, etc. An attacker exploits these flaws to bypass authentication for the router’s management pages and take over the router. This sort of attack is very threatening for firms as it can lead to the compromise of a network allowing threat actors to breach the target’s infrastructure.

The affected Netgear models includes-

GC108P, GC108PP, GS108Tv3, GS110TPP, GS110TPv3, GS110TUP, GS308T, GS310TP GS710TUP, GS716TP, GS716TPP, GS724TPP, GS724TPv2, GS728TPPv2, GS728TPv2, GS750E, GS752TPP, GS752TPv2, MS510TXM, MS510TXUP,AC2100, AC2400, AC2600, D7000v1, R6220, R6230, R6260, R6330, R6350, R6700v2, R6800, R6850, R6900v2, R7200, R7350, R7400, R7450, DGN1000v3, DGN2200v1, DGN2200v3, DGN2200V4, WGR614v10, WNR1000v2, WNR1000v3, WNR1000v4 etc.

Moreover, as many reuse their password, having the admin password of the router gives an initial space on the network through which one can view and access all the devices with the same admin password connected to the network. With the help of malware like the Mirai botnet, it’s also possible to infect the vulnerable routers and consequently use them as bots too. Otherwise, the DNS could be easily altered to a wretched one to further infect the systems on the network.

Thus, it's highly recommended to all NETGEAR users take the equipment test to check if they are vulnerable and apply a patched firmware if found to be. In addition to it download the latest firmware as briskly as possible as per your model. Keeping Netgear devices up to date stands important because the firmware updates contain security fixes, bug fixes, and advanced features for your products and thus reduces the chances of devices being affected. Also updating through the app service provided by Netgear is much easier if the particular model is being supported by the application. Ensure your Wi-Fi security is ON to prevent unauthorized devices from joining your network and make Remote management OFF in order to prevent unauthorized devices from accessing your network through WAN. Finally, check for email notifications from Netgear for recent information regarding firmware.

For more information visit us on: www.nexixsecuritylabs.com

To schedule an audit you can contact us on: contact@nexixsecuritylabs.com

Your Security | Our Concern