Microsoft reveals authentication failures, system hijack vulnerabilities in Netgear routers

Microsoft says the bugs could have allowed “attackers to roam untethered through an entire organization.”

Microsoft has disclosed a series of vulnerabilities in Netgear routers which could lead to data leaks and full system compromise.

On June 30, Jonathan Bar Or, a member of Microsoft's 365 Defender Research Team, revealed the vulnerabilities, which were patched prior to public disclosure. 

Bar Or said that the trio of bugs impacted DGN-2200v1 series routers -- running firmware prior to v1.0.0.60 -- which "opened the gates for attackers to roam untethered through an entire organization."

Microsoft's security team discovered the vulnerabilities after noting strange behavior in the router's management port. While communication was protected with TLS encryption, it was still flagged as an anomaly when machine learning models were applied. 

Upon further investigation of the router firmware, the security researchers found three HTTPd authentication flaws. 

The first allowed the team access to any page on a device -- including those that should require authentication, such as router management pages -- by appending GET variables in requests within substrings, allowing a full authentication bypass. 

The second security flaw permitted side-channel attacks, and this was found in how the router verified users via HTTP headers. If exploited, attackers could extract stored credentials. 

Finally, the third vulnerability utilized the prior authentication bypass bug to extract the router's configuration restore file which was encrypted using a constant key, "NtgrBak," allowing remote attackers to decrypt and extract stored secrets. 

Netgear was made aware of the security issues privately through the Microsoft Security Vulnerability Research (MSVR) program. 

The firmware vulnerabilities have been patched by Netgear, which issued a security advisory in December detailing the security flaws. The bugs have been assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365 and have been issued CVSS severity scores of between 7.1 and 9.4, rating them critical. 

Netgear recommends that customers install the latest firmware available for their routers by visiting Netgear Support, typing their model number into the search box, and downloading the newest firmware version. Alternatively, updates can be accessed via Netgear apps. 

"The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating system layer," Microsoft says. "As these types of attacks become more common, users must look to secure even the single-purpose software that run their hardware -- like routers."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0