Wish you could log into someone's Netgear box without a password? Summon a &genie=1

Get patching – there's this auth bypass and loads of other bugs

By Iain Thomson in San Francisco


If you're using a Netgear router at home, it's time to get patching. The networking hardware maker has just released a tsunami of patches for a couple of dozen models of its kit.

The flaws were found by Martin Rakhmanov at infosec shop Trustwave, which has spent over a year hunting down programming gremlins in Netgear's firmware.

Software updates to address these uncovered vulnerabilities have now been released – you should ensure they are installed as soon as you can before scumbags and botnets start exploiting them to hijack broadband gateways and wireless points. Instructions on how to apply the fixes are included in the linked-to advisories.

Some 17 Netgear routers have a remote authentication bypass. This means malware or miscreants that are on your network, or anyone else able to reach the device's web-based configuration interface, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo.

That's pretty bad news for any vulnerable gateways with remote configuration access enabled, as anyone on the internet can exploit the cockup to take over the router, change its DNS settings, redirect browsers to malicious sites, and so on.

Another 17 Netgear routers – with some crossover with the above issue – have a similar bug, in that the genie_restoring.cgi script, provided by the box's built-in web server, can be abused to extract files and passwords from its filesystem in flash storage – it can even be used to pull files from USB sticks plugged into the router.

Other models have less severe problems that still need patching just in case. For example, after pressing the Wi-Fi Protected Setup button, six of Netgear's routers open up a two-minute window during which an attacker can potentially execute arbitrary code on the router as root over the air.

"Trustwave SpiderLabs has worked with Netgear through our responsible disclosure process to make sure that these vulnerabilities are addressed," Trustwave's Rakhmanov said.

"We'd also like to thank Netgear for their responsive and communicative product security incident response team. It's obvious that their participation in bug bounties has helped them improve their internal process for addressing issues like these." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Register-Orbi-damned: Netgear account order irks infosec bods

Marketing data collection opens potential security nightmare

Arlo, can you go? NETGEAR spins out its security cameras biz

Network boxen buying cycle has limbo-ed down too low, so prepare for on-subscription cloud services assault

Netgear 'fixes' router by adding phone-home features that record your IP and MAC address

Yeah, that'll be secure for sure

Netgear unveils world's easiest bug bounty

Router baron makes break from SOHOpeless device cesspit sporting chained multikill bonus

Netgear says sorry four weeks after losing customer backups

Critical design bug caused havoc on 30 March

Netgear: Nothing to see here, please disperse. Just another really bad router security hole

Firmware updates on the way

Intel's dying Atom chips strike again: Netgear recalls four ReadyNAS, Wi-Fi management lines

Hardware maker offers to replace or repair at-risk kit

Netgear confirms: Intel's wobbly Puma 6 in fast broadband modems is super-easy to choke out

No fix ready yet for DoS-able home gateways

WTF is your problem, Netgear? Another hijack hole found in its routers

Programming blunders allow miscreants to snatch home gateways' admin passwords

US-CERT's top tip: Hack your crap Netgear router before miscreants arrive

Command-injection hole can only be closed by killing web server – or the whole thing