James Steidl - Fotolia
Security researchers this week disclosed that Netgear TLS certificates with exposed keys are lurking in wireless router firmware, and it wasn't the first time the issue had been reported to the vendor.
Earlier this month, Nicholas Starke, a threat researcher at Aruba Networks, and Tom Pohl, head of software architecture at Businessolver, were looking for vulnerabilities in Netgear firmware and found that private keys for signed TLS certificates were being exposed through said firmware.
"The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys," the bug report stated.
Pohl told SearchSecurity he and Starke found the exposed TLS certificates relatively quickly. "I was looking for anything I could in the firmware to look for vulnerabilities and this was the first thing that popped out at me after looking at it for a short period of time," he said.
Netgear Monday posted a security advisory in response to the vulnerability report, which did not adhere to responsible disclosure practices. The affected products include R8900, R9000, RAX120 and XR700 wireless routers. Because patches are currently unavailable for the firmware, the vendor recommended customers use the Netgear Nighthawk app or log into their routers' web interface using http://routerlogin.com/ instead of HTTPS.
"Netgear plans to release firmware hotfixes for all affected products as soon as possible," Netgear said in its advisory.
Disclosure process raises questions
According to their report, the researchers first discovered the vulnerability on Jan. 14, and sent a Tweet attempting to establish communication with Netgear that same day. Netgear maintains a bug bounty program through Bugcrowd where researchers can submit bugs and vulnerabilities in order to get cash rewards. But because Netgear's program prohibits any kind of public disclosure of vulnerabilities, Starke and Pohl opted for a different approach.
On Jan. 15, the two researchers attempted to go through Bugcrowd in order to establish direction communication with Netgear, but were "unable to establish a communications channel outside of the Netgear bug bounty programs," the GitHub page said.
Four days later, they published their findings on GitHub. "We felt that this was an important enough issue that we decided to go full disclosure," Pohl said. "To me it's not about the money or the fame. It's about making the community safe."
Pohl also said responsible disclosure practices in this case benefited Netgear rather than the users. "They pay you a little money through the Bugcrowd or whatever to get you to shut up, and then they never fix the problem. And so, the whole quote-unquote 'responsible disclosure' is not responsible disclosure; it's about the vendors being able to shut researchers up and not actually protect the community. So it actually doesn't do what these bug bounties are intending to do," Pohl said.
When they published their findings, however, Pohl and Starke found the issue of private keys being disclosed through firmware was not a new one. Kevin Froman, a security researcher and computer science student, commented on Starke and Pohl's GitHub post. "I discovered this same thing in 2017. My Bugcrowd report was shot down as dupe."
Froman told SearchSecurity the "dupe" refers to the message he received from Bugcrowd for his report sent on July 23, 2017, which ruled the issue a duplicate vulnerability. "Thank you for the submission but this has already been reported by another researcher," Bugcrowd's message read.
Froman wrote about the TLS certificates and exposed keys in a 2017 blog post. He said what he discovered nearly three years ago were "very similar but not identical issues" to what Starke and Pohl reported this week.
"Pohl and Starke found different private keys than me, but the point stands that Netgear was aware of the issue since at least 2017, and according to them back then even, I was not the first to report," Froman said.
When asked whether Pohl and Starke's findings had been reported previously, a spokesperson for Netgear explained over an email, "This particular issue related to Entrust private key being available in plain text has not been reported to us earlier."
SearchSecurity asked Netgear why the vulnerability was been classified as a separate issue if the only difference was the type of TLS certificates and private keys involved. Netgear had not responded at press time.
Netgear has struggled with vulnerability reporting and response in the past. In early 2017, Trustwave security researchers reported two critical vulnerabilities in 31 models of Netgear routers. According to the researchers, they first contacted Netgear about the flaws in April of 2016, but after nine months the vendor had released firmware patches for 18 of the affected products.
"Luckily Netgear did eventually get back to us right before we were set to disclose these vulnerabilities publicly," Simon Kenin, security researcher at Trustwave, wrote in a blog post. "We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose to Netgear only to be met with frustration."
However, Kenin said his opinion changed after Netgear pledged to release additional firmware fixes on an "aggressive timeline" and announced a partnership with Bugcrowd to improve its bug bounty efforts.