CVE-2016-11014: Auth Bypass in NETGEAR JNR1010 Routers

01/Description

What this actually is.

Technical background, root cause, and affected surface.

An authentication bypass vulnerability was identified on the Netgear JNR1010 devices before 1.0.0.32 which had incorrect access control because the ok value of the auth cookie is a special case that allows remote attackers to bypass authentication mechanisms via unspecified vectors.

Vendor: NetGear
Affected Product: JNR1010_firmware
CVE: CVE-2016-11014
Securin ID: 2016-CSW-01-1015
Status: Fixed
Date: December 30, 2015
Severity: Critical
CVSS Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-613

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityCritical

Authentication Bypass: Try Accessing the URL in which the regular user has no longer access without credentials with auth token value as “ok” and HTTP Basic Authentication header with password value.

PoC · Exploitation Steps▲ trigger

01Improper Session Management: Create a fake Session ID and submit the request to the server with the credentials. At the same time, you can see that the session id has no change even after getting logged-in and during the logout process.02Figure 01: Session id created by an attacker before login.03Figure 02: Attacker Session id is not changed even after login.04Figure 3: Session id remains the same, even after logging out from the current session.05Figure 04: Back button history of the accessed router after logging out.06Figure 05: auth token is set to “ok” once after logging into the router. But we could not access any pages just by pressing the back button after logging out.07Figure 06: Changing the auth token value from “ok” to “nok” and removing extra session tokens gives access to the unauthorized page with the same session id created by an attacker.08Figure 07: Authentication logic is bypassed, and an attacker can access any pages inside login without credentials.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

By leveraging this vulnerablitiy, an attacker can bypass authentication mechanisms via unspecified vectors.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest version of firmware and update it as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2016-11014, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 28, 2015

Discovered in Netgear Router Firmware Version 1.0.0.24

Oct 28, 2015

Reported to vendor

Nov 03, 2015

Netgear technical team started addressing the issue after several follow-ups.

Dec 13, 2015

Vulnerability was fixed.

Dec 30, 2015

The updated Netgear Router JNR1010 version 1.0.0.32 was released.

Disclosed 63 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2016-11014

nvd.nist.gov/vuln/detail/CVE-2016-11014 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Authentication Bypass in Netgear Router

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups.

Vulnerability was fixed.

The updated Netgear Router JNR1010 version 1.0.0.32 was released.

Cite, verify, go deeper.

NVD — CVE-2016-11014

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Authentication Bypass in Netgear Router

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups.

Vulnerability was fixed.

The updated Netgear Router JNR1010 version 1.0.0.32 was released.

Cite, verify, go deeper.

NVD — CVE-2016-11014

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Authentication Bypass in Netgear Router

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups.

Vulnerability was fixed.

The updated Netgear Router JNR1010 version 1.0.0.32 was released.

Cite, verify, go deeper.

NVD — CVE-2016-11014

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Authentication Bypass in Netgear Router

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups.

Vulnerability was fixed.

The updated Netgear Router JNR1010 version 1.0.0.32 was released.

Cite, verify, go deeper.

NVD — CVE-2016-11014

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.