A series of security flaws were recently discovered by Microsoft in Netgear routers. The flaws could lead to data leaks and full system takeovers. Fortunately, the vulnerabilities were patched prior to public disclosure.
How Microsoft discovered the Netgear firmware vulnerabilities
Apparently, Microsoft “discovered the vulnerabilities while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint.” During this research, the company observed “a very odd behavior,” involving a device owned by a non-IT personnel. The device was trying to access a NETGEAR DGN-2200v1 router’s management port.
“The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario,” Microsoft explained.
During their extensive investigation of the router firmware, the OS maker discovered three HTTPd authentication issues.
The first vulnerability allowed access to any page on a device, including the ones that require authentication. This could be done by appending GET variables in requests within substrings, creating the possibility for a full authentication bypass.
The second vulnerability could allow side-channel attacks in the way the router verified users via HTTP headers. This bug could allow attackers to extract stored user credentials.
The last flaw used the prior authentication bypass issue to extract the router’s configuration restore file, encrypted via a constant key. This could allow remote attackers to decrypt and extract stored secrets.
The findings were disclosed to Netgear via Microsoft Security Vulnerability Research. Both companies cooperated to provide advice on mitigating the flaws “while maintaining backward compatibility.”
Following these events, the critical bugs with CVSS score within 7.1 – 9.4 have been fixed by Netgear.
In 2020, 79 Netgear router models were found to contain a severe security vulnerability that could lead to remote control. The issue affected 758 firmware versions used in 79 Netgear router models.
The flaw was discovered by two cybersecurity researchers – Adam Nichols from GRIMM and d4rkn3ss from Vietnamese ISP VNPT. It is noteworthy that the two researchers made the discovery independently, with both of them saying they reported the vulnerability to Netgear at the beginning of 2020.