In December 2013, security researcher Eloi Vanderbeken found a backdoor in combination DSL modem / wireless router devices manufactured by Taiwanese ODM Sercomm that allow attackers to reset the configuration of the device to factory default, as well as provide access to a command-line shell to activate wireless administrative access or resetting passwords, among other possibilities. This issue was unceremoniously patched by Sercomm, and the vendors of the affected devices, Netgear, Cisco/Linksys, and Diamond, published updates for the hardware to remove the vulnerability.
But this did not remove the vulnerability.
Originally, the vulnerability was moderately transparent: the router would listen for messages on TCP 32764. While crafted attacks were possible, as there is a rather feature-complete shell available, brute force would result in the router simply being reset, alerting the owner that something is going on. Note that not all devices affected by this bug required the attacker to be on the local network, some allowed access to the backdoor from across the Internet.
The “patch” for this vulnerability did little more than slightly hide the backdoor, and require that the attacker be on the LAN or be on the ISP level (or, be otherwise one hop away). Additionally, this requires raw packets, not TCP. So, with a special “knock” on the backdoor, it can be opened with ease–the content of the packet (for the device investigated by Wilmer van der Gaast, though this likely applies to others) is an MD5 has of the model number of the router being attacked. The structure of the attack is used in an old Sercomm update utility, and strongly indicates that the inclusion of this vulnerability is intentional, according to the PowerPoint presentation write up by Vanderbeken available here.
A response from Netgear
When asked about the TCP 32764 issue, Netgear’s press relations representative Jocelyn Shaw said, “NETGEAR has researched the assertions that the firmware patch provided for the older modems and DSL gateways was vulnerable to attack from outside the network, and has discussed this issue with our technology partner, Sercomm. These products have a LAN-side testing interface integrated into the modem & gateways for the sole purpose of production testing and validation.”
Shaw said, “This testing interface is only accessible while on the LAN, and is not accessible by anyone outside the home network.” However, research by Vanderbeken indicates that the Netgear DG834B, DGN2000, and WPNT834 are listening on the internet. Despite this, Shaw notes “NETGEAR, or any other external source, would not be able to access this interface remotely, over the WAN. In order to further strengthen these products from any vulnerability, NETGEAR will be providing an additional layer of security through a new update, which will be available for these products by June 2014. NETGEAR also recommends that customers make sure that their wireless security is turned ‘on’ for the maximum amount of protection, so that no unauthorized users or devices are on the LAN.”
Considering the usual speed at which updates for these types of products are released, the turnaround time of June 2014 isn’t particularly slow.
A response from Cisco
The response from Nigel Glennie at Cisco’s Product Security Incident Response Team was somewhat more definitive. Firstly, Cisco acknowledges the issue and the history of the exploit on their website, which Glennie points out “Cisco has confirmed the undocumented test interface has been completely removed by the firmware images listed in this advisory and cannot be re-enabled in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router.”
Sercomm hasn’t responded to emails about this issues.
Protecting your home network
To protect your home network from unwanted interference by third parties, check to verify if your router is one of the models affected by the TCP 32764 backdoor. If it is, check the manufacturer’s website to see if a patch is available. If not, alternate firmware may be available, such as OpenWRT or Tomato. For Netgear DGN3500 users, a custom firmware that patches the vulnerability is available. Short of that, the First Aid patch can close the vulnerability temporarily, but it will reappear after reboot.
Will this vulnerability impact your future purchases of routers? Let us know your thoughts in the comments section below.