A new report from Microsoft’s security research team details how the Netgear DGN-2200 broadband router can be compromised remotely, allowing attackers access to the internal network.

Microsoft’s 365 Defender Research Team has published a detailed report that explains the flaws they discovered in the firmware of the Netgear DGN-2200v1 ADSL router, that enables a remote attacker to bypass authentication to access the router’s admin console and then extract the admin credentials giving them full control over the device.  Once the router is under the attacker’s control, they can modify firewall rules to give themselves access to the private network behind the router.

Netgear has published a security advisory that includes links to new firmware that resolves the vulnerabilities.

Authentication Bypass Vulnerability Explained

The firmware code that provides the HTTP server contains an initial check to approve certain pages to be served without the need to authenticate – such as .css or javascript libraries.  The code also checks for any images being requested (.jpg or .gif files) and serves those without the need for any authentication.

However, a flaw in the logic for these checks, means the code is checking for the string ‘.gif’ or ‘.jpg’ anywhere within the requested URL meaning any page that should require authentication can be accessed simply by appending a relevant substring to the URL for example:

An unauthenticated attempt to access /WAN_wan.htm would correctly and always fail,

but, attempting to access /WAN_wan.htm?image.gif would always grant access to the page bypassing authentication.

Routers, firewalls and other infrastructure devices need to be regularly patched just like the servers and desktop computers on your network.