Microsoft researchers have disclosed multiple authentication bypass vulnerabilities in Netgear routers. These vulnerabilities open the possibility of total control over the router and credentials access. The disclosure of the news to the public took place after Netgear had successfully patched the flaws. Jonathan Bar Or, a member of the Microsoft 365 Defender Research, made vulnerabilities public. The vulnerabilities uncovered by a Microsoft security research team affect DGN2200v1 series routers running firmware versions before v188.8.131.52.
The investigation kicked off by Microsoft researchers had begun while they were exploring device fingerprinting. They caught sight of odd behavior. They noticed the attempt of accessing the management port of a Netgear DGN-2200v1 router by a device owned by non-IT personnel.
It is high time to develop proactive strategies to withstand increasingly evolving cybersecurity threats. LIFARS offers several services, such as comprehensive gap assessment, penetration testing, threat hunting, red-teaming, vulnerability assessment, and many more.
Unpacking the Research
Researchers copied the firmware for the device from the Netgear website. They investigated why there was an arbitrary device attempting to interface with the router’s management port. What they found that the odd communication employed the standard port served by HTTPd. Researchers played out the analysis by running QEMU, an open-source emulator and virtualizer, among different tests to investigate the issue.
Consequently, the investigation led to the discovery of three HTTPd authentication flaws. The first flaw made it possible for the team to access any page on a device. It includes those pages that should prompt authentication before giving access to them. For example, the research team paved the way to access router management pages. One only had to append GET variables in requests inside substrings, and it lets a complete authentication bypass.
Researchers made a deep dive into figuring out the implementation of the authentication. It led them to come across the second security flaw. The team found out that router credentials can also get withdrawn since the second flaw granted cryptographic side-channel attacks.
Ultimately, the research team bumped into the third flaw. The first authentication bypass bug made way for the third vulnerability. The third flaw, coupled with the focus on the router’s configuration and backup feature, allowed the withdrawal of the username and password.
Microsoft Research Team Reported the Vulnerabilities to Netgear
Privately, Microsoft had shared the authentication bypass vulnerabilities with Netgear long before they made the disclosure. In December 2020, Netgear had issued a security advisory regarding the security flaws after they patched the firmware vulnerabilities. Netgear assigned the bugs as PSV-2020-0365, PSV-2020-0364, and PSV-2020-0363. At the same time, the CVSS severity scores of the vulnerabilities existed between 7.4 and 9.4.
This is not the first time researchers have not found the vulnerabilities in Netgear routers. A year ago, researchers uncovered an unpatched zero-day vulnerability in its firmware. The flaw had exposed 79 Netgear device models to risk for a complete takeover. However, the company decided to leave 45 models unpatched. The reason was that those models had become obsolete.
The increasing cyberattacks in the pursuit of targeting authentication bypass vulnerabilities among our frequently used devices prompt us to ascertain one thing. That is to keep all our devices and apps updated with their latest versions. Moreover, you are welcome to consult LIFARS to entertain our cybersecurity advisory and consulting services.