Freely subscribe to our NEWSLETTER

These new vulnerabilities allow an attacker to discover, or completely bypass, any
password on a Netgear router, giving them complete control of the router, including
the ability to change configuration, turn infected routers into botnets or even
upload entirely new firmware. This comes on the heels of the December Netgear
vulnerabilities, which were “Command Injection” based, showing the increasing
severity of the issue in use of these routers.

Commenting on this, Mike Ahmadi, Global Director – Critical Systems Security at
Synopsys, said "We have tested many routers and firewalls over the last decade, and
have found vulnerabilities numbering in the thousands, using both fuzz testing and
software composition analyses. Vendors typically build such devices for the stated
functionality, which is to route traffic and block unwanted traffic, when used as
intended.

"What many vendors fail to do, however, is adequately assess the inherent security
of the devices they sell, thereby flooding the market with vulnerable devices. Some
vendors have taken it upon themselves to address the inherent vulnerabilities, but
the end user is often left guessing which devices are adequately tested, since there
is currently no regulatory requirement to test to a given level of rigor, and any
attempt to force such regulations are met with extreme resistance.

"The only way a consumer can determine the level of risk associated with a device is
to run their own tests and determine what vulnerabilities are present, and use this
information in procurement to force a vendor to fix the issues, or move on to
another vendor that is doing a better job addressing such issues, or require a third
party security audit, such as the UL CAP program."