10000 routers attacked through unpatched Netgear DNS vulnerability

10000 routers attacked through unpatched Netgear DNS vulnerability

Vulnerabilities in some Netgear SOHO (Small Office Home Office) routers discovered by security researchers at Shell Shock Labs and Compass Security have been publicly used in the wild, allowing attackers to redirect a user's Web traffic through their own servers. This was after Compass researchers informed Netgear that a 90-day disclosure deadline would expire this month. Several models are affected, included the JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4, and WNR2020v2.

Netgear confirmed a patch for the firmware on devices that are affected by the vulnerability will arrive on October 14. Some vendors, for example, have built excessive features into their gear that is largely insecure, guarded either by weak or non-existent default credentials, or shoddy encryption. The victim's IP address on one of the command and control servers was then provided to Compass for further scrutiny. This was way back at the beginning of September, but the company has not indicated when - or if - there will be a public release.

Afterwards, just hit "Browse", navigate and select the newly extracted .img file, click the Upload button, and wait patiently as the router prepares and installs the 1.1.0.32 firmware version.

Threatpost cited Compass Security CTO Alexandre Herzog as saying that an unnamed victim came to know about the attack upon investigating the reasons behind some router instability.

If these two aspects are met, save and unzip the downloadable archive, log into the unit's administration page (username and password should be requested), and go to Advanced Administration Firmware Upgrade.

"The only pre-requisite for the attack is that the attacker can reach the web management interface, which is attainable by default in the internal network", Herzog said.

The exploitation allows attackers to gain full remote, unauthenticated root access to the device if it has WAN administration enabled. "An attacker with physical access to the router can subvert it anyway".

Related News: