Netgear: Nothing to see here, please disperse. Just another really bad router security hole

Netgear has downplayed the significance of newly discovered flaws in its WNR2000 line of consumer routers.

The vulnerabilities could hypothetically allow a remote attacker to execute code and take over the device without authentication, claims Pedro Ribeiro, the security researcher who discovered the bugs.

“It is a LAN based attack, but it can also be used over the Internet if remote administration is enabled in the router,“ Ribeiro told El Reg.

Ribeiro went public on the flaws earlier this week with an advisory after claiming he'd not received an adequate response from Netgear.

In response to queries from El Reg, Netgear acknowledged the flaw while playing down its significance.

Netgear is aware of the security issue that can, in very limited instances, allow remote access to a router, including password recovery and command execution. This vulnerability occurs when an attacker has access to the internal network or when remote management is enabled on the router.

Remote management is turned off by default on these routers, which is an advanced feature that the majority of our customers do not use.

Netgear added that it plans to release firmware updates that fix the remote access and command execution vulnerability for all affected products - the WNR2000v5, WNR2000v4 and WNR2000v3 - “as quickly as possible”. In the meantime, the networking equipment manufacturer has published an advisory detailing workarounds.

Ribeiro maintains that the flaw is more serious than Netgear’s response implies. Vulnerable devices are easy to find using an IoT search engine, he claimed.

“Also ‘having access to the internal network’ means being connected to the router's WLAN, hence why I question [the] very limited assertion,” he added. ®