Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass
Original Release date: 10 Jun 2016 | Last revised: 13 Jun 2016

Overview
The Netgear D6000 and D3600 routers are vulnerable to authentication bypass and contain hard-coded cryptographic keys embedded in their firmware.

Description

CWE-321: Use of Hard-coded Cryptographic Key — CVE-2015-8288
The firmware for these devices contains a hard-coded RSA private key, as well as a hard-coded X.509 certificate and key.

An attacker with knowledge of these keys could gain administrator access to the device, implement man-in-the-middle attacks, or decrypt passively captured packets.CWE-288: Authentication Bypass Using an Alternate Path or Channel — CVE-2015-8289A remote attacker able to access the /cgi-bin/passrec.asp password recovery page may be able to view the administrator password in clear text by opening the source code of above page.According to the reporter, these vulnerabilities affect firmware versions 1.0.0.47 and 1.0.0.49 running on Netgear model D6000 and D3600. Other models and firmware versions may also be impacted.

Impact

A remote unauthenticated attacker may be able to gain administrator access to the device, man-in-the-middle a victim on the network, or decrypt passively captured data.

Solution

Apply an updateNetgear has released firmware version 1.0.0.59 on April 20th, 2016 to address these issues.

Affected users are encouraged to update the device’s firmware as soon as possible. Netgear has also created Knowledgebase articles about these issues; please see the URLs in the References section below.Affected users might also consider the following workarounds:

Restrict network accessRestrict network access to the Netgear device’s system web interface and other devices using open protocols like HTTP.

Consult your firewall product’s manual for more information.

Vendor Information (Learn More)
Vendor
Status
Date Notified
Date Updated
Netgear, Inc.
Affected
10 Dec 2015
10 Jun 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
8.8
AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal
7.5
E:POC/RL:U/RC:UR
Environmental
5.6
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit
Thanks to Mandar Jadhav of Qualys for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information
CVE IDs: CVE-2015-8288 CVE-2015-8289
Date Public: 10 Jun 2016
Date First Published: 10 Jun 2016
Date Last Updated: 13 Jun 2016
Document Revision: 39

Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.