NetGear Also Has Remote Access Wide Open

Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."

Fixed in new firmware, available here:

[Anonymous Coward]

http://kbserver.netgear.com/support_details.asp?dn ldID=735

How very timely...

[Atrax]

I was going to buy a Netgear wireless access point/router this week.

I initially went for it because my experience with their wired products has been good. A swift rethink would seem to be required.

Re:huh?

[RidiculousPie]

This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser.

It would appear that if the webinterface is disabled, the device cannot be compromised.

Re:One wonders what the internal policies are ...

[BigHungryJoe]

Everyone but the vendors knows it's a bad idea. Cisco recently made the same mistake [cisco.com].

Re:Possibilities.

[Hangtime]

With the automation Dell has in terms of its manufacturing process, I would not be surprised if that password is unique to the Dell Tag number itself instead of just a wide open tag for anyone to use.

Netgear WG302

[the eric conspiracy]

Well. at least this username/password doesn't work with a WG302 with firmware 1.5.

linked properly for the lazy

[Anonymous Coward]

Netgear Firmware Upgrade [netgear.com]

Re:Fixed in new firmware, available here:

[gbjbaanb]

Helps if the URL doesnt have a space in it. Hmm.. slashdot seems to be mangling it. Note: there should be no space in the following URL.

http://kbserver.netgear.com/support_details.asp?dn ldID=735

"WG602 Firmware Version 1.7.14

Bug Fixes

Fixed: Lost connections during heavy traffic
Improved system reliability under heavy traffic
Fixed illegal user access the WEB configuration utility.
Known Bugs and Feature Limitations

WPA is not supported.
Wireless Bridging and repeating functions are not supported. "

WGR614

[Rinisari]

NetGear WGR614 is not affected by this bug. I'm going to try to get its firmware and follow the same procedure listed in that Bugtraq report to see what I can find.

Re:Possibilities.

[alexatrit]

I stand corrected, here.

"The only way to clear the BIOS password is with a Master Reset Password provided by Dell for that Model No. and they will not give you the master unless you can give them the name. address and telephone of the registered owner. However the password is universal for all laps with the same model no., so if you know someone who is a registered owner, you can call Dell and get the master."

Reference [experts-exchange.com] here. That being said, the master for an Inspiron 5000 is BLVJCH. Booyah!

It's a feature, not a bug.

[gumpish]

The URL is "mangled" for people browsing with mobile devices. The space is added so tiny displays can word wrap the text. (And also so crapflooders can't make your horizontal scroll bar appear.)

Personally I think the number of people using such browsers is probably so small that there is no justification for this "feature", but since Slashdot isn't likely to change, URLs should be submitted as proper links and not just plan text.

Re:It's a feature, not a bug.

[Trigun]

There is a justification for this feature. Put an eicar test signature into a comment, and watch some realtime virus scanners go nuts.

Take my advice

[Q2Serpent]

I know this is a huge problem for the general public, but for those of us with a linux machine, do what I do and save yourself some trouble: put two network cards in the linux machine. Connect one to the internet and the other to your wireless router's normal ethernet ports (don't use the port that is supposed to be for the internet). Then, just set up your linux firewall/NAT, and you get all the benefits of wireless and a wired hub on the inside, with a linux machine doing the routing/firewalling for security from the outside. Since the router isn't on the net, no one can even touch it.

WG602v2 with firmware 2.0rc5

[thewiz]

Just checked my WG602v2 and the factory firmware upgrade 2.0rc5 and they do not have the backdoor.

Whew!

Re:How very timely...

[Homology]

I was going to buy a Netgear wireless access point/router this week.

If 11Mbps is sufficient for your needs, you could by a 802.11b wireless card that uses the Prism 2.5 chipset. This chipset can function in hostAP mode. At home I use Netgear MA311 in an older Dell functioning as my wireless access point, internet gateway and firewall. Instead of WEP, I use IPSec, and only authorized IPSec traffic is allowed (and thus no leaching from my Kazaa loving neighbour).

You might need to flash the firmware, though, which you can find here [star-os.com].

If you want a secure, easy and hassle free gateway, just install OpenBSD [openbsd.org].

Re:Good grief...

[Gojira Shipi-Taro]

Look into Smoothwall. I'm using it on an old PPro 200 as a firewall/router. It supports 3 networks at the moment (red/external, Green/internal, Orange/restricted (wlan for instance). I have an older netgear router that I keep as a spare (the old PPro 200 has to die sometime...), but even with that, the Smoothwall config can be dumped to floppy and moved to a completely different machine easily.

Re:Packaged network boxes

[Anonymous Coward]

Sorry for the AC reply...

You can change your NTP Server setting on this router with some of the more up to date firmwares. I'm using A2.4 and there is an option to set the NTP server of your choice under the "Schedule" Menu.

The Linksys problem was a false report

[lseltzer]

Even the guy who reported it has admitted it and Linksys issued a statement. [ziffdavis.com]

No, it wasn't...

[Otto]

The problem still exists. If you disable the firewall and disable remote admin, you can still get the remote admin page over the WAN. That, to me, is a bug. Okay, it may be a weird config as they stated, but it's a bug nevertheless.

They also have beta firmware up on that link you posted to fix the problem.

WAP54G also had SNMP issues in 1.08

[David M. Andersen]

I was able to change NVRAM parameters using snmpset regardless of the community strings as long as SNMP was enabled on the WAP54G.

dma@laureate:~$ snmpwalk 192.168.1.254 -O n -v 1 -c froqegftoeqgteqg
enterprise
.1.3.6.1.4.1.3955.1. 1.0 = STRING: "v1.08, Aug 05, 2003"
...
.1.3.6.1.4.1.3955.2.1.8.0 = IpAddress: 192.168.1.254
.1.3.6.1.4.1.3955.2.1.9.0 = IpAddress: 255.255.255.0
...

dma@laureate:~$ snmpset -c wghwgqgqerc -v 2c 192.168.1.254
.1.3.6.1.4.1.3955.2.1.8.0 a "10.0.0.1"
SNMPv2-SMI::enterprises.3955.2.1.8.0 = IpAddress: 10.0.0.1

The changes took effect when the device was reset or power cycled. I didn't really investigate further. I reported this to Linksys. Not sure if they did anything about it.

Re:they published the password?

[Anonymous Coward]

I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords.

I own a NetGear WAP. I'm glad they published it. One, it's good, useful information for me as an owner of the device, and two, it allows me to test if I'm vulnerable.

Re:The problem of convinience

[Harodotus]

Smoothwall [smoothwall.org] is exactly that, a custom Linux distro with boot-from-cd install that only requires you to hit "enter" a couple dozen times to turn any old 2 nic pc into a pre-configured modern firewall with internal NAT and DHCP.

I use it and find it very handy (lots of old PC hardware about)

Re:they published the password?

[Spinality]

I'm curious what you will do with this information -- what can you do that you couldn't do before?

Well, I used it to verify whether I was vulnerable. I was. I'm glad to observe it. I've downloaded the new firmware and hope to be safe. They couldn't contact me via registration card because I NEVER send in those things. They're just marketing gimmicks used as an opt-in.

Moreover, the script kiddies will manage to get this information whether or not it's publicly posted. This way, I have it as well as them.

Just my view.

Re:Fixed in new firmware, available here:

[Chucky B. Bear]

I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

(You can find it yourselve by just taking similiar steps as in the securityfoces article.)

Re:The Linksys problem was a false report

[LoadWB]

Hrmmmm. I like it when others tell me what I said.

No, I did not issue a statement admitting it was a false report. I said that a critical element did not show up in testing of newly purchased equipment.

And I am not sure how I feel about Mr. Seltzer's article. Especially his statement about trust. It is obvious that we should trust him over others because he is the author of the "Official" book on LinkSys. I do not, however, think that we should dismiss, or not trust, anything anyone has to say about security, regardless of stature. True, my announcement was not confirmed, and the more responsible in the Internet news community did indeed hold off on their reports while responses and discussions continued. Bravo.

LinkSys has "told" us by proxy of Mr. Seltzer that the units I got with the odd behaviors were customer returns. Well, I cannot speak for what LinkSys says -- they certainly did not say that to me. I do say that is pure conjecture, on both my and LinkSys' part, but it does make for a reasonable assumption concerning the three units used in later testing.

Just for information, there is no comment from LinkSys on this issue on its press release page http://www.linksys.com/press/press.asp , nor from Cisco http://newsroom.cisco.com/dlls/index.html

Even so, I still stand firmly by my original findings. Two older units *did* do this, even after a factory reset. Bad hardware? Pre-release firmware? Who knows. I saw what I saw. But it does go to prove one very important point: we should not be complacent about our perception of security. If you install Internet-facing equipment for clients, you are providing a great service to everyone if you port-scan the device. When you purchase Internet equipment, check the configurations and make sure it matches up to what you expect. Do not take your security for granted.

As an aside, Larry Seltzer, regardless of his credibility, is another journalist who has never contacted me for clarification or expanded information.

NOT fixed in new firmware!

[Rex Code]

According to a recent BugTraq by Jaco Swart, all the new firmware does is change the backdoor username from "super" to "superman" and the password to "21241036".

Does Netgear really think the security community is that stupid? They should be ashamed.

NOT A PROBLEM

[$ASANY]

I just ran this against my WG602 running firmware 1.5.7, and the account doesn't exist. So if you perform the absolute minimal step of checking for software upgrades before you put this into service, you won't run into any problem.

If you don't immediately check for upgrades when you open a box and haven't with this hardware, though, perhaps you deserve to get 0wn3d?