Netgear under fire after TLS certificates found in firmware -- again

Disclosure process raises questions

According to their report, the researchers first discovered the vulnerability on Jan. 14, and sent a Tweet attempting to establish communication with Netgear that same day. Netgear maintains a bug bounty program through Bugcrowd where researchers can submit bugs and vulnerabilities in order to get cash rewards. But because Netgear's program prohibits any kind of public disclosure of vulnerabilities, Starke and Pohl opted for a different approach.

On Jan. 15, the two researchers attempted to go through Bugcrowd in order to establish direction communication with Netgear, but were "unable to establish a communications channel outside of the Netgear bug bounty programs," the GitHub page said.

Four days later, they published their findings on GitHub. "We felt that this was an important enough issue that we decided to go full disclosure," Pohl said. "To me it's not about the money or the fame. It's about making the community safe."

Pohl also said responsible disclosure practices in this case benefited Netgear rather than the users. "They pay you a little money through the Bugcrowd or whatever to get you to shut up, and then they never fix the problem. And so, the whole quote-unquote 'responsible disclosure' is not responsible disclosure; it's about the vendors being able to shut researchers up and not actually protect the community. So it actually doesn't do what these bug bounties are intending to do," Pohl said.

When they published their findings, however, Pohl and Starke found the issue of private keys being disclosed through firmware was not a new one. Kevin Froman, a security researcher and computer science student, commented on Starke and Pohl's GitHub post. "I discovered this same thing in 2017. My Bugcrowd report was shot down as dupe."

Froman told SearchSecurity the "dupe" refers to the message he received from Bugcrowd for his report sent on July 23, 2017, which ruled the issue a duplicate vulnerability. "Thank you for the submission but this has already been reported by another researcher," Bugcrowd's message read.

Froman wrote about the TLS certificates and exposed keys in a 2017 blog post. He said what he discovered nearly three years ago were "very similar but not identical issues" to what Starke and Pohl reported this week.

"Pohl and Starke found different private keys than me, but the point stands that Netgear was aware of the issue since at least 2017, and according to them back then even, I was not the first to report," Froman said.

When asked whether Pohl and Starke's findings had been reported previously, a spokesperson for Netgear explained over an email, "This particular issue related to Entrust private key being available in plain text has not been reported to us earlier."

SearchSecurity asked Netgear why the vulnerability was been classified as a separate issue if the only difference was the type of TLS certificates and private keys involved. Netgear had not responded at press time.

Netgear has struggled with vulnerability reporting and response in the past. In early 2017, Trustwave security researchers reported two critical vulnerabilities in 31 models of Netgear routers. According to the researchers, they first contacted Netgear about the flaws in April of 2016, but after nine months the vendor had released firmware patches for 18 of the affected products.

"Luckily Netgear did eventually get back to us right before we were set to disclose these vulnerabilities publicly," Simon Kenin, security researcher at Trustwave, wrote in a blog post. "We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose to Netgear only to be met with frustration."

However, Kenin said his opinion changed after Netgear pledged to release additional firmware fixes on an "aggressive timeline" and announced a partnership with Bugcrowd to improve its bug bounty efforts.