Easy-to-exploit authentication bypass flaw puts Netgear routers at risk

February 1, 2017 – 4:02 PM

For the past half year Netgear has been working on fixing a serious and easy-to-exploit vulnerability in many of its routers. And it’s still not done.

While Netgear has worked to fix the issue, the list of affected router models increased to 30, of which only 20 have firmware fixes available to date. A manual workaround is available for the rest.

The vulnerability was discovered by Simon Kenin, a security researcher at Trustwave, and stems from a faulty password recovery implementation in the firmware of many Netgear routers. It is a variation of an older vulnerability that has been publicly known since 2014, but this new version is actually easier to exploit.

In January 2014, a researcher found that he could trick the web-based management interface of Netgear WNR1000v3 routers to disclose the admin’s password. The exploit involved passing a numerical token obtained from one script called unauth.cgi to another called passwordrecovered.cgi. Neither of them required authentication to access.

Last year, Kenin came across this old exploit when he wanted to break into his own router — a different Netgear model — and realized that it worked. The researcher decided to write a script to automate the exploit so that other people could test their own router models, but due to a programming error the script didn’t pass the correct token to passwordrecovered.cgi. Yet the exploit still worked.


Widely used WebEx plugin for Chrome will execute attack code

January 23, 2017 – 9:20 PM

The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it’s trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google’s Project Zero security disclosure service.

All that’s required for a malicious or compromised website to exploit the vulnerability is to host a file or other resource that contains the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL. That’s a “magic” pattern the WebEx service uses to remotely start a meeting on visiting computers that have the Chrome extension installed. Ormandy discovered that any visited website can invoke the command not just to begin a WebEx session, but to execute any code or command of the attacker’s choice. To make the exploit more stealthy, the string can be loaded into an HTML-based iframe tag, preventing the visitor from ever seeing it.


Choosing a Strong Password in 2017

January 14, 2017 – 7:17 AM

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

If you value your privacy, you must learn how passwords work, how the attacks that attempt to break them work and finally how to choose a strong password that won’t break no matter what you throw at it.

Most people don’t have a proper system for managing passwords. They pick the easiest password that they can remember and probably reuse it in multiple places. In this tutorial we’ll take a look at why this needs to change and how to replace this ad hoc process with a secure and more convenient approach.


The worst passwords of 2016 are as lazy as ever

January 14, 2017 – 7:00 AM

It seems that password security simply doesn’t work.

Many of us rely on simple, easy-to-remember strings of characters and letters, including strings found on your keyboard such as “1234567” or “qwertyu.”

While these strings are easy for you to remember, they are also no trouble at all for attackers to brute-force hacking techniques — or little more than a guess or two — to compromise your online accounts and take over your digital identity.

Online vendors and agencies are getting up to speed with these practices and now often offer or require two-factor authentication which connects a mobile phone to your account — or will ban soft, easy passwords like this altogether.

But as many are, many are not — and it is both companies and individuals that are at fault for lax security at the first stage.

According to Keeper Security’s annual list of commonly used passwords, we still haven’t got the message.

The security company’s researchers were left shaking their heads in despair as they discovered that the most common passwords used to protect our accounts have not changed much at all — and “123456” is still very much in existence.

The company scoured through 10 million passwords which became public domain over the year thanks to data breaches.

Keeper Security found that almost 17 percent of users insisted on using “123456” to ‘protect’ their accounts from intrusion, while “123456789,” “qwerty” and “password” also make an appearance in the top 25 worst passwords found — which, sadly, are also the most common.


CERT advises users to ‘discontinue use’ of two Netgear routers due to major security flaw

December 10, 2016 – 7:32 PM

In a major setback for Netgear, it appears that at least two of its high-end routers may contain a severe security flaw according to an advisory issued by CERT.

The vulnerability itself is incredibly easy to leverage and simply relies upon accessing a specially crafted URL in the following format from the local network:

http://< router_IP >/cgi-bin/;COMMAND

The above will result in a command injection attack via the router’s web interface which will execute arbitrary commands with root privileges. Notably, the attack can be initiated remotely by an attacker who manages to fool a local user into clicking on a malicious URL hidden behind a shortened link. Otherwise, a nefarious user already on the local network can craft and visit a URL of their choice in order to achieve the same outcome.

So far, the two routers that have been confirmed to be susceptible to this vulnerability are:

  • Netgear R6400 with firmware version (and possibly earlier)
  • Netgear R7000 with firmware version (and possibly earlier)

While unconfirmed by CERT, one Reddit user indicated that their Netgear R8000 router was also affected by the flaw, which means that the list of impacted hardware may well expand over the coming days.