Netis Router Backdoor “Patched” But Not Really

Late last month, we reported about a backdoor vulnerability that we discovered in Netcore/Netis brand routers, a backdoor that made any network attached to a router of the same brand vulnerable to online infiltration and man-in-the-middle attacks.

We also reported on how our friends at the ShadowServer Foundation have been kind enough to scan for IP addresses affected by this vulnerability, with their findings readily available in website form. At the time, the number of affected IP addresses numbered to more than a million – which meant that more or less, the same number of devices were at risk (we note that the number has risen at the time of this writing).

Now, it seems that Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page). This is of course great news for anyone who has a Netis/Netcore brand router – after all, this would allow them to keep the routers in their networks and be assured that the security issue has been taken care of. Unfortunately, from our analysis of the updates themselves, this may not exactly be the case.

So, what does the update actually do? Well, instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hide its controls. What this basically means is that the backdoor is still in the router – just that it’s closed by default, and only someone who already knows about the backdoor itself and has the technical knowledge to open it can access it.

Figures 1 and 2. NETIS router code before and after update

Figure 1 shows how in the previous router code, the command /bin/igdmtp -d is present; in the current code it has been commented out (and thus, no longer runs). Figure 2 shows, however, how code has been added that allows the backdoor to be controlled via a hidden function on the web portal of the router.

Doesn’t this fix the problem? Not quite. The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC).

It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house.

Should you still update? Yes. We highly recommend installing the update if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure.

However, we want to stress that users should also make their router passwords stronger as well. immediately after applying this update – or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters.

We will continue to monitor this particular issue and update as necessary.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Netis Router Backdoor “Patched” But Not Really