back to article Netgear's routerlogin.com HTTPS cert snafu now has a live proof of concept

An infosec researcher has published a JavaScript-based proof of concept for the Netgear routerlogin.com vulnerability revealed at the end of January. Through service workers, scripts that browsers run as background processes, Saleem Rashid reckons he can exploit Netgear routers to successfully compromise admin panel …

  1. adam 40 Bronze badge

    Unintended consequences of Browser Fascism

    "Netgear included HTTPS certificates [and private keys] in its firmware so customers didn't get scared off as browsers unable to connect to the internet threw up error messages and warnings when they couldn't authenticate the HTTPS connection to routerlogin.com"

    Beggars belief really!

    1. Anonymous Coward
      Anonymous Coward

      Re: Unintended consequences of Browser Fascism

      "Beggars belief really!"

      It assumes that Netgear are concerned about the loss of the private key or impersonation of this domain.

      Netgear have likely (I'm making the assumption based on setting up these devices) only registered the domain name and provided a valid certificate to avoid browser warnings for end users as the increasing levels of security on the browser (to avoid SSL/TLS/MITM issues) have pushed them in that direction.

      That's not a defence, more an explanation of unintended consequences of trying to ensure a pleasant end-user experience while browser security requirements have increased.

      Given that the devices don't necessarily have an Internet connection when they are first installed, I'm not sure what the alternative is beside factory installed unique certificates that are valid for the products sales life....

    2. rcxb Bronze badge

      Re: Unintended consequences of Browser Fascism

      Why didn't the issuing authority immediately revoke the cert, after finding out the private key is in the wild? Thereby giving Netgear an even bigger problem than a self-signed cert?

      1. rcxb Bronze badge

        Re: Unintended consequences of Browser Fascism

        Actually, it seems it was:

        On January 20th at approximately 6:39 am UTC, [Entrust Datacard] received a notification from a third party that one of our customer’s private keys had been exposed. As such, we were required to revoke the certificate due to key compromise within 24 hours, in accordance with BR 4.9.1.1.

        https://bugzilla.mozilla.org/show_bug.cgi?id=1611241

        1. Michael Wojcik Silver badge

          Re: Unintended consequences of Browser Fascism

          Of course, if you're connecting to routerlogin.net, it's entirely possible that you're doing so because you've lost your Internet connection. In that case OCSP won't work, and OCSP defaults to failing insecure.

          So maybe your browser or OS (if the browser delegates this to the OS) downloaded a CRL from Entrust Datacard that includes this revocation, in which case you'll see a warning about a revoked certificate. How many users will just click through that?

          And, of course, once the certificate expires, so will the revocation.1 At some point the remaining potentially vulnerable users will see a certificate-expired warning rather than a certificate-revoked one, which seems much less worrisome to users, even technically-experienced ones.

          Of course Netgear will no doubt admit there's an issue and fix it with a firmware update, just as soon as they finish ice-skating in Hell.

          (And, yes, I realize this is just another case of the unattended-server private-key problem, which we've known about since the '80s, and which has no good solution.)

          1This is a well-known problem with timestamped signatures as well. That's not relevant in this context, but it's Yet Another gaping flaw in the PKIX use of X.509 revocation.

  2. alain williams Silver badge

    How to make them take this seriously

    We need some legislation that the likes of Netgear have some pages on their web site (prominently signposted) that list such bugs. They would not have the ability to use weasel words to describe them.

    But: I expect that NSA & GCHQ would put a stop to anything like that.

  3. katrinab Silver badge
    Meh

    Is this really a big deal?

    If I attempt to log into my router located at http://192.168.0.1 from a compromised wifi network, I could experience exactly the same problem.

    It seems like a very theoretical threat to me.

    1. Anonymous Coward Silver badge
      Big Brother

      Re: Is this really a big deal?

      The article glosses over it (or seems to miss it entirely), but the issue isn't about connecting to your router's admin panel while connected to another network.

      When you connect to that other network, they (presumably MITM'ing an HTTP connection) register a serviceworker for routerlogin.com; when you then connect back to your own network and log into your router admin panel, the service worker kicks in and can do stuff at that stage.

      From the linked blog post:

      Thus, if the user’s browser loads routerlogin.com while connected to a malicious Wi-Fi network or VPN, someone could install a Service Worker for the domain. This could be achieved by injecting a hidden iframe for routerlogin.com into a Wi-Fi captive portal or a random HTTP webpage that the victim was browsing. When the user connects to their home Wi-Fi network again and visits routerlogin.com, the Service Worker could inject malicious JavaScript into the router management pages

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this really a big deal?

        Sounds like it is a threat to any open or guest Wi-Fi Access point. So basically if you are doing that, put the Netgear box behind a firewall with rules to prevent internal network access.

        1. rcxb Bronze badge

          Re: Is this really a big deal?

          No. Normally SSL/HTTPS/TLS connections will offer you a high degree of protection from such code injection and modifications. In this case, the private key is public, so anybody can do nasty MITM with routerlogin.com.

      2. katrinab Silver badge
        Unhappy

        Re: Is this really a big deal?

        OK

        But this sounds like a browser vulnerability to me, and probably would still work if I visited http://192.168.0.1/

        1. Anonymous Coward Silver badge
          Facepalm

          Re: Is this really a big deal?

          "probably would still work if I visited http://192.168.0.1/"

          Which is why serviceworkers can only be registered on https sites

          1. Alumoi

            Re: Is this really a big deal?

            Which is why serviceworkers get disabled while configuring my browser.

        2. Michael Wojcik Silver badge

          Re: Is this really a big deal?

          The Service Worker exploit is only one possible attack.

          Consider: DNS poisoning could be used to redirect the browser to a "routerlogin.net" hosted on an external network, which could then impersonate the router long enough to steal credentials, then return an error. User assumes there's something wrong with the router and power-cycles it, which clears the DNS cache. Now the attacker can see if the browser's admin interface is open on the WAN (an option for at least some Netgear models, IIRC), and use any of a variety of techniques to get code inside the LAN to authenticate to the router and change settings.

          Or this is a SOHO setup and the attacker is already on the internal network, but doesn't have credentials for the router. Getting those credentials is useful for pivot-and-escalate maneuvering.

          The fundamental point is that once the private key has been leaked, the certificate is worthless. A PoC is nice but ultimately unnecessary to demonstrate that point to people who understand TLS.

  4. findjammer

    I tried two different R8000 routers last year. Both bricked themselves. Refunded. Never touching NETGEAR equipment ever again.

    1. Jay 2

      A few years back ran into some problems with a series of Netgear routers where the WiFi would just stop working properly... until you powered on a wired device and it would all spring back into life. The last straw was when I was on a call with their support who said it was a known problem and asked me to use the latest firmware. I then had to point out that was the US firmware and I was in the UK. Then all of a sudden it wasn't a known problem any more any they wanted open-ended Wireshark captures. At that point I gave up, sent the router back and have never purchased Netgear since.

      1. Charles 9 Silver badge

        I'd been using an R7000 for a number of years. Though soon after getting it, I replaced the firmware with a Merlin base. Only recently had a number of issues arose (including the inability to reach the GUI) that prompted me to move on last month. I considered a newer Netgear but after some research settled on a dd-wrt-ready Links router. It hasn't been all roses, but a lot of improved specs leave me with plenty of headroom.

    2. paulf Silver badge
      Terminator

      My experience of Netgear goes back further than that but just the same as yours.

      Back around 2004 I had an early wifi router. The final firmware release completely borked the ethernet part of the switch such that transferring files between networked computers failed due to the high level of corrupted packets. Thankfully I'd kept the earlier firmware versions (Netgear had removed the earlier versions from their website) and I moved back to the previous version to get it working again.

      Then I bought two DGND3700 routers back in 2011 (I think). One for me and one for the parental units. These were ADSL wifi routers with a Gb Eth switch. They never worked right with the last official release of the firmware (v1.017) having multiple problems in sustaining a stable ADSL connection (not to mention various Wifi bugs). In the end it was only after repeated hassling of support that I was sent an unreleased beta build of firmware v1.019 that sorted out most of the problems and it ran reasonably stable until the HW died a few years ago.

      Meanwhile Netgear released v2 of the HW, only 6-9 months after v1 was released, which did get updated firmware to fix the myriad show stopper bugs IOW my router was EOLd barely 9 months after release. I swore off Netgear after that and haven't looked back.

      These days my Draytek Vigor 2862 has been running the house network admirably for the last 2-3 years and is still getting decent semi-regular updates.

  5. Starace Silver badge
    Devil

    No problem here

    My Netgear router fixed this problem by blowing itself up on the same day the warranty expired.

    Not been tempted anywhere near one since.

    1. jelabarre59 Silver badge

      Re: No problem here

      My Netgear router fixed this problem by blowing itself up on the same day the warranty expired.

      Yeah, Belkin routers have the courtesy to blow up 2 weeks after you buy them. The replacement units maybe last 4 weeks.

      Linksys routers are minimally functional, but the parental controls act just like the teenagers you're trying to put time limits on; they ignore what you're saying and do whatever they want anyway.

      At least the Netgear router I'm trying a recent build of DD-WRT on didn't cost me anything, so no money lost if I brick it.

      1. EnviableOne Silver badge

        Re: No problem here

        could be something to do with the fact that Belkin own Linksys now

        Netgear wifi has generally been flaky, but it works

        their modems however have generally been supurb

        DG834 would sync ADSL on a piece of wet string

  6. dmacleo

    possibly non-wifi (netgear prosafe...) routers too...

    my fvs336gv3 and fvs318gv3 (318 EOL support wise anyway) routers isolated right now but...I think they may have used the same setup for certs. so if I am right same "bad" wifi could also be an issue with them.

    due to setup not an issue for me right now and I don't have the knowledge on how to check anyway.

  7. JohnFen Silver badge

    A twofer!

    Since I neither use Netgear's stuff nor do I ever allow the likes of service workers to be used, I am comfortable that this doesn't affect me. But it does reinforce that I win by avoiding both of those things!

  8. GBE

    OpenWRT

    I run OpenWRT on my Netgear hardware. And my D-Link hardware. And my TP-Link hardware.

    And I don't allow admin connections from the WAN.

    And when I want to connect to the router from the LAN, I enter the IP address.

    Anybody who trusts manufacturer-supplied firmware on consumer-grade gear is asking for trouble.

    1. Phil Kingston
      Black Helicopters

      Re: OpenWRT

      >And I don't allow admin connections from the WAN

      You think you don't, but the spooks are in there.

  9. Plest
    Facepalm

    All this because users can't handle a red warning sign!

    Put it this way, would you install your own gas applicances? 99% of us wouldn't, we're simply not qualified you need that GAS-Safe certification to install gas applicances because they're dangerous. Alright you won't die if your router lets bad guys in but you could well find your bank account empty and a month or two of fighting to get your life back on track, all becuase some prat in a PR dept thinks they can flog you network kit you don't have the foggiest clue how to install.

    Having said thet basic networking is not hard though, an hour or two on some good websites and very basic ipv4 networking is not hard to understand. I taught the basics of IPv4 networking to my 80 year old father, alright he's been a boiler room techie all his life so it's used to learning technical systems, but he was clueless about how it worked at first. Now he can do basic fault diagnosis on his net connected kit, understands the basics of what DHCP and DNS is, how to work within a simple class-C network setup. Just enough to get by when he buys a new gadget. I'm the worst teacher in the world and he's my Dad, most tech discussions end in us raising our voices but we licked this one.

    My advice is to re-purpose old kit. I have 2 Netgear routers, they about 6 years old and both running DD-WRT. I'll never buy new router kit again, buy second hand off "fleaBay" knowing it'll run DD-WRT. I'm recycling old kit and doing my little bit for the environment, I save money on net kit and I don't get mornic cack like the latest sec issues affecting my net kit the second I put it in like this fiasco all 'cos Netgear PR team think everyone should be playing with their home networks even though they don't understand how they work.

    1. Anonymous Coward
      Anonymous Coward

      Re: All this because users can't handle a red warning sign!

      Any recommendations on resources to self-study (a) basic, followed by (b) advanced (sysadmin-level) networking? (I'm a techie, but a medical student at university)

    2. oiseau Silver badge
      Pint

      Re: All this because users can't handle a red warning sign!

      My advice is to re-purpose old kit.

      Congratulations and thank you. =-)

      Been hammering on this for the longest while to a chorus of "new/shiny" dimwitts to no avail.

      Have one on me, even if it's not Friday ---->

      O.

    3. LeahroyNake Silver badge

      Re: All this because users can't handle a red warning sign!

      I know a few so called IT admins at customer sites that you could train up for me!

      Even today I had a call from one about a network connection on a printer. DHCP reservation in place on install last year but stopped working today and had a APIPA address. Turned out that they didn't know that the switch had VLANS set up per port and they had been 'tidying up the network cabinet'. Pays the bills though :)

  10. Anonymous Coward
    Anonymous Coward

    On a slightly different topic, but maybe not completely OT....

    A year ago I bought consumer Linksys WiFi router. The ONLY easy way to configure the thing meant a two step process:

    1. Register for a "cloud" account on a Linksys server.

    2. Configure the router via the "cloud" account.

    After a lot of research and a lot of aggravation, I found instructions about how to do the configuration the old fashioned way:

    - A laptop (offline)

    - An ethernet cable

    - The Linksys router

    - ......and no external internet connection at all

    The ugly "cloud" configuration was so that the user could manage their router remotely from a smartphone. (And presumably, Sonos-llike, Linksys could also manage the router from their server.)

    I did a factory reset, repacked the router in the original box, and took the thing to the local charity shop. Dropped £100.....but SEP!

  11. Anonymous Custard Silver badge
    Headmaster

    I don't believe it!

    "To me, it seems crazy that you would want to access your home router so desperately that you need to do it remotely – unless, of course, you've just realised that your username and password are still the defaults whilst at work."

    And yet the last two routers I've had (and indeed the last two NAS boxes as well) have had the capability to do just that baked into their dashboards as a "feature", and in some cases even enabled by default. All four devices from different manufacturers, with the previous router being a Netgear…

    Of course said feature was swiftly disabled on all of them, if I do find such a desperate need then it's a VPN back into the network and hop to the relevant dashboard from there...

    1. thondwe

      Re: I don't believe it!

      Are there ISPs out there who would access a router remotely as part of a support call? Is that's why the possibility is even there? IIRC I think mine had the option enabled for some remote diagnostic protocol - long since ditched as I replaced the kit with a decent VDSL modem and a micro PC running Sophos XG home...

      The Self-Signed Cert battle between IOT gadgets and Browsers isn't a nice thing for a non techie though...

      1. Anonymous Coward Silver badge
        Boffin

        Re: I don't believe it!

        ISPs don't access the config dashboard on the router; they use TR-069 provisioning.

        TR-069

        1. EnviableOne Silver badge

          Re: I don't believe it!

          not any more theres great big holes all over TR-069 and its easier to load config onto the device before dispatch...

  12. Fading
    Facepalm

    I quite like my R7800....

    So which is better OpenWRT or DD-WRT?

    1. Anonymous Coward
      Anonymous Coward

      Re: I quite like my R7800....

      I don't know, but there's one way to find out...

      F I G H T❕❕❕

    2. Charles 9 Silver badge

      Re: I quite like my R7800....

      It's a judgment call. OpenWRT is more technically-minded and takes more finesse to use. DD-WRT tries to ease some of the nerd factor.

  13. Anonymous Coward
    Anonymous Coward

    Service workers in Browser

    To me, this seems more like a flaw in browsers. Service Workers are awesome for web developers, but it was bound to happen that the concept would be exploited for evil deeds. Having background processes installed by anyone in browsers, what could go wrong?

    1. Charles 9 Silver badge

      Re: Service workers in Browser

      Problem is, what could go wrong NOW if you take them away? The Web is no longer just HTML anymore.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020