Heimdal
article featured image

Contents:

The team discovered the flaws in NETGEAR DGN-2200v1 series routers while they were conducting an investigation on device fingerprinting. The researchers warned that exploitation of these vulnerabilities could result in identity theft and full system compromise.

Tracked as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365, they range in CVSS rating from high (7.4) to critical (9.4). Microsoft reported the discovery to NETGEAR, which has released a security advisory patching the flaws.

According to Microsoft’s Jonathan Bar Or, exploits for these firmware vulnerabilities can compromise a network’s security, making way for threat actors to roam free through an entire organization.

We noticed a very odd behavior: a device owned by a non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port. The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario.

Source

As Security Week reported, the team managed to document side-channel attack scenarios and authentication bypass exploits that allowed the retrieval of secrets stored in the NETGEAR routers.

“Routers are integral to networking, so it is important to secure the programs supporting its functions”, Bar Or added.

The researchers performed a static analysis of the HTTPd binary and dynamic analysis. Eventually, they found some “pseudo-code” as the first-page handling code inside HTTPd, automatically approving certain pages such as “form.css“ or “func.js.”

Netgear Pseuedo-code-in-HTTPd heimdal security

Image Source: Microsoft

Usually, this would not be a problem. However, “one thing that stood out was the fact that NETGEAR decided to use strstr to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL” Bar said. This meant that by appending a GET variable with the relevant substring (such as “?.gif”), the researchers could access any page on the device, including those requiring authentication.

The team decided to dig even deeper to see how the authentication was implemented. They found out that router credentials could also be gained using a side-channel attack.

Netgear Microsoft Authentication-process heimdal security

Image Source: Microsoft

Ultimately, the researchers wanted to see if they could recover the user name and password used by the router by another existing weakness. They focused on the device’s backup and restore feature, and by reverse-engineering the functionality, they found that it was possible.

After some preparatory steps, the contents are DES-encrypted with a constant key “NtgrBak”. This allows an attacker to get the plaintext password (which is stored in the encrypted NVRAM) remotely. The user name, which can very well be variations of ‘admin’, can be retrieved the same way.

Source

The discovery of these security holes comes less than a week after Eclypsium, a U.S. company that addresses firmware security threats, revealed several high-severity firmware vulnerabilities that expose millions of Dell computers to stealthy attacks. The Dell SupportAssist vulnerabilities were allowing attackers to remotely execute code within the BIOS of impacted devices.

Recently, Microsoft has made firmware and IoT security a priority, with two strategic acquisitions – Refirm Labs and CyberX, both meant to support the tech giant’s ability to pinpoint and fix weak links at the firmware layer.

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE