Description
-----------
Wi-Fi Protected Setup (WPS) is an insecure protocol vulnerable to bruteforce attacks due to design vulnerabilities. The NetGear device does not provide an effective method to disable WPS. An attacker with local proximity to the device while WiFi is enabled, can bruteforce WPS, and obtain the WPA key which allows an attacker to connect to the WiFi access point, and decrypt WiFi traffic from other users.
Software such as Reaver, can be used to brute-force the WPS key, usually within about ten hours. Reaver is available from
The 'Advanced Wireless Settings' page contains the following section:
WPS Settings
Router's PIN: 99999999
[Tickbox] Disable Router's PIN
[Tickbox] Keep Existing Wireless Settings
Ticking the 'Disable Router's PIN' box appears to have no effect.
Impact
------
Using this vulnerability, BAE Systems was able to crack the wireless password, and gain access to the WPA2 PSK wireless network hosted by the device.
Proof of concept
----------------
This vulnerability can be exploited with the Reaver tool available from
Solution
--------
Implement a method for users to easily and effectively disable WPS.
8. Passwords Stored in Plaintext
=================================
Requires
--------
Telnet access or exploitation of a vulnerability providing command execution
Description
-----------
The router stores passwords in the /etc/passwd file in plaintext instead of using encrypted hashes.
Impact
------
Using this vulnerability, BAE Systems was able to learn the passwords used to access the device.
Proof of concept
----------------
# cat /etc/passwd
nobody:*:0:0:nobody:/:/bin/sh
admin:s3cr3tp4ssw0rd:0:0:admin:/:/bin/sh
guest:guest:0:0:guest:/:/bin/sh
Solution
--------
Store user passwords as a non-reversible cryptographic hash, such as SHA-256.
9. Pre-Authentication Information Disclosure
=============================================
Requires
--------
Unauthenticated access to the web interface
Description
-----------
This issue has been previously reported in other NetGear devices and is the same issue reported here:
*
Impact
------
Using this vulnerability, BAE Systems was able to learn some identifying features of the device without needing to provide credentials.