IBM has discovered Vulnerability-related.DiscoverVulnerability 17 zero-day vulnerabilities in smart city systems which could debilitate core services . At the Black Hat conference in Las Vegas on Monday , the cybersecurity firm 's X-Force Red team of penetration testers and hackers demonstrated how old-school threats are placing the cities of the future at risk in the present day . Smart city technology spending is predicted to hit $ 80 billion this year and become as high as $ 135 billion by 2021 . Water and filtration systems , smart lighting , traffic controllers , utilities , and more all become intertwined in smart cities , which aim to make urban living more energy efficient , eco-friendly , and manageable . However , connecting all of these critical elements can have devastating effects should something go wrong -- such as a successful cyberattack . We 've already seen the damage which can be caused when threat actors target core country systems , such as in the case of Ukraine 's power grid , and unless security is considered every step of the way , every future city will be placed at similar levels of risk . Together with researchers from Threatcare , IBM X-Force Red discovered Vulnerability-related.DiscoverVulnerability that smart city systems developed by Libelium , Echelon and Battelle were vulnerable Vulnerability-related.DiscoverVulnerability to attack . Libelium is a wireless sensor network hardware manufacturer , while Echelon specializes in industrial IoT , and non-profit Battelle develops and commercializes related technologies . According to IBM X-Force Red researcher Daniel Crowley , out of the 17 previously-unknown vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in systems used in four smart cities , eight are deemed critical in severity . Unfortunately , many of the bugs were due to poor , lax security practices -- such as the use of default passwords , authentication bypass , and SQL injections . In total , the researchers uncovered Vulnerability-related.DiscoverVulnerability four instances of critical pre-authentication shell injection flaws in Libelium 's wireless sensor network , Meshlium .

Onapsis discovered Vulnerability-related.DiscoverVulnerability several high risk vulnerabilities affecting Vulnerability-related.DiscoverVulnerability SAP HANA platforms . If exploited Vulnerability-related.DiscoverVulnerability , these vulnerabilities would allow an attacker , whether inside or outside the organization , to take full control of the SAP HANA platform remotely , without the need of a username and password . “ This level of access would allow an attacker to perform any action Attack.Databreach over the business information and processes supported by HANA , including creating , stealing Attack.Databreach , altering , and/or deleting sensitive information . If these vulnerabilities are exploited Vulnerability-related.DiscoverVulnerability , organizations may face severe business consequences , ” said Sebastian Bortnik , Head of Research , Onapsis . The vulnerabilities affect Vulnerability-related.DiscoverVulnerability a specific SAP HANA component named SAP HANA User Self Service , which is not enabled by default . The following list details the affected HANA 2 and HANA versions : “ We hope organizations will use this threat intelligence to assess their systems and confirm that they are not currently using this component , and therefore are not affected by these risks . Even if the service is not enabled , we still recommend that these organizations apply Vulnerability-related.PatchVulnerability the patches in case a change is made to the system in the future , ” continued Bortnik . Onapsis Research Labs originally discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities on the newly released SAP HANA 2 platform , but after additional analysis realized that several older versions were vulnerable Vulnerability-related.DiscoverVulnerability as well . Based on this assessment , it was identified Vulnerability-related.DiscoverVulnerability that the vulnerabilities had been present Vulnerability-related.DiscoverVulnerability in HANA for almost two and a half years , when the User Self Service component was first released . This greatly increases the likelihood that these vulnerabilities have been discovered Vulnerability-related.DiscoverVulnerability by attackers to break into organization ’ s SAP systems . Onapsis worked closely with SAP ’ s Product Security & Engineering teams to help them develop Vulnerability-related.PatchVulnerability the security patches . SAP is releasing the first ever patch for SAP HANA 2 . In this case , default installations are affected and an attacker can elevate privileges if exploited

Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to share Vulnerability-related.DiscoverVulnerability with you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosed Vulnerability-related.DiscoverVulnerability exploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found out Vulnerability-related.DiscoverVulnerability that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assigned Vulnerability-related.DiscoverVulnerability CVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findings Vulnerability-related.DiscoverVulnerability to NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerable Vulnerability-related.DiscoverVulnerability , although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixed Vulnerability-related.PatchVulnerability as part of a different patch cycle . The second advisory included 25 models , all of which were vulnerable Vulnerability-related.DiscoverVulnerability in their latest firmware version . In June NETGEAR published a notice that provided Vulnerability-related.PatchVulnerability a fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability now , and 2 models that they previously listed as vulnerable Vulnerability-related.DiscoverVulnerability , but are now listed as not vulnerable Vulnerability-related.DiscoverVulnerability . In fact , our tests show that one of the models listed as not vulnerable Vulnerability-related.DiscoverVulnerability ( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patch Vulnerability-related.PatchVulnerability more models . Over that time we have found Vulnerability-related.DiscoverVulnerability more vulnerable models that were not listed in the initial notice , although they were added later . We also discovered Vulnerability-related.DiscoverVulnerability that the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerable Vulnerability-related.DiscoverVulnerability as well . Luckily NETGEAR did eventually get back to us right before we were set to disclose Vulnerability-related.DiscoverVulnerability these vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose Vulnerability-related.DiscoverVulnerability to NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patching Vulnerability-related.PatchVulnerability these vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have found Vulnerability-related.DiscoverVulnerability more than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible Vulnerability-related.DiscoverVulnerability to a pair of vulnerabilities that can lead to password disclosure . Researchers said Vulnerability-related.DiscoverVulnerability that while anyone who has physical access to a router can exploit Vulnerability-related.DiscoverVulnerability the vulnerabilities locally , the real threat is that the flaw can also be exploited Vulnerability-related.DiscoverVulnerability remotely . According to Simon Kenin , a security researcher with Trustwave ’ s Spiderlabs team , who discovered Vulnerability-related.DiscoverVulnerability the flaw and disclosed Vulnerability-related.DiscoverVulnerability it Monday , the vulnerabilities can be remotely exploited Vulnerability-related.DiscoverVulnerability if the router ’ s remote management option is enabled . While Netgear claims remote management is turned off on routers by default , Kenin said there are “ hundreds of thousands , if not over a million ” devices left remotely accessible . Kenin claims that all he had to do was send a simple request to the router ’ s web management server to retrieve a router ’ s password . After determining a number that corresponds to a password recovery token , he found he could pair it with a call to the router ’ s passwordrecovered.cgi script . Kenin claims Vulnerability-related.DiscoverVulnerability he made his discovery by leveraging two exploits disclosed Vulnerability-related.DiscoverVulnerability in 2014 on some Netgear routers he had hanging around . It wasn ’ t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router ’ s credentials even if he didn ’ t send the correct password recovery token . “ After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , ” Kenin wrote Monday . Kenin ’ s employer , Trustwave , divulged Vulnerability-related.DiscoverVulnerability details around both vulnerabilities in a lengthy blog post Monday , putting the wraps on a nearly year-long odyssey with the vendor . The firm first disclosed Vulnerability-related.DiscoverVulnerability the vulnerability to Netgear in April 2016 , initially it listing 18 vulnerable models , before listing 25 vulnerable models in a subsequent advisory . After repeated requests for an update on a fix for the vulnerability , Netgear finally obliged in July and provided Vulnerability-related.PatchVulnerability firmware updates for a fraction of the affected routers . It wasn ’ t until this weekend that Netgear acknowledged Vulnerability-related.DiscoverVulnerability the issues again , posting Vulnerability-related.PatchVulnerability an updated version of the article on its support page , instructing users to find and download the appropriate firmware fixes . The most recent version of the advisory claims there are 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability . The company is encouraging users of some devices in which firmware is not available to implement a workaround . According to Netgear , users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices . “ The potential for password exposure remains if you do not complete both steps . NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification , ” the company writes . It ’ s the first critical vulnerability to affect Vulnerability-related.DiscoverVulnerability Netgear routers this year but the second in the last two months . In December , it was discovered Vulnerability-related.DiscoverVulnerability that a handful of the company ’ s Nighthawk line of routers were vulnerable Vulnerability-related.DiscoverVulnerability to a flaw that could have given an attacker root access on the device and allowed them to run remote code . The company was quick to release Vulnerability-related.PatchVulnerability beta firmware updates to address Vulnerability-related.PatchVulnerability the vulnerability but simultaneously confirmed Vulnerability-related.DiscoverVulnerability that more routers than originally reported were vulnerable Vulnerability-related.DiscoverVulnerability . When reached Wednesday , a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out . Trustwave discloses Vulnerability-related.DiscoverVulnerability an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed .

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible Vulnerability-related.DiscoverVulnerability to a pair of vulnerabilities that can lead to password disclosure . Researchers said Vulnerability-related.DiscoverVulnerability that while anyone who has physical access to a router can exploit Vulnerability-related.DiscoverVulnerability the vulnerabilities locally , the real threat is that the flaw can also be exploited Vulnerability-related.DiscoverVulnerability remotely . According to Simon Kenin , a security researcher with Trustwave ’ s Spiderlabs team , who discovered Vulnerability-related.DiscoverVulnerability the flaw and disclosed Vulnerability-related.DiscoverVulnerability it Monday , the vulnerabilities can be remotely exploited Vulnerability-related.DiscoverVulnerability if the router ’ s remote management option is enabled . While Netgear claims remote management is turned off on routers by default , Kenin said there are “ hundreds of thousands , if not over a million ” devices left remotely accessible . Kenin claims that all he had to do was send a simple request to the router ’ s web management server to retrieve a router ’ s password . After determining a number that corresponds to a password recovery token , he found he could pair it with a call to the router ’ s passwordrecovered.cgi script . Kenin claims Vulnerability-related.DiscoverVulnerability he made his discovery by leveraging two exploits disclosed Vulnerability-related.DiscoverVulnerability in 2014 on some Netgear routers he had hanging around . It wasn ’ t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router ’ s credentials even if he didn ’ t send the correct password recovery token . “ After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , ” Kenin wrote Monday . Kenin ’ s employer , Trustwave , divulged Vulnerability-related.DiscoverVulnerability details around both vulnerabilities in a lengthy blog post Monday , putting the wraps on a nearly year-long odyssey with the vendor . The firm first disclosed Vulnerability-related.DiscoverVulnerability the vulnerability to Netgear in April 2016 , initially it listing 18 vulnerable models , before listing 25 vulnerable models in a subsequent advisory . After repeated requests for an update on a fix for the vulnerability , Netgear finally obliged in July and provided Vulnerability-related.PatchVulnerability firmware updates for a fraction of the affected routers . It wasn ’ t until this weekend that Netgear acknowledged Vulnerability-related.DiscoverVulnerability the issues again , posting Vulnerability-related.PatchVulnerability an updated version of the article on its support page , instructing users to find and download the appropriate firmware fixes . The most recent version of the advisory claims there are 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability . The company is encouraging users of some devices in which firmware is not available to implement a workaround . According to Netgear , users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices . “ The potential for password exposure remains if you do not complete both steps . NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification , ” the company writes . It ’ s the first critical vulnerability to affect Vulnerability-related.DiscoverVulnerability Netgear routers this year but the second in the last two months . In December , it was discovered Vulnerability-related.DiscoverVulnerability that a handful of the company ’ s Nighthawk line of routers were vulnerable Vulnerability-related.DiscoverVulnerability to a flaw that could have given an attacker root access on the device and allowed them to run remote code . The company was quick to release Vulnerability-related.PatchVulnerability beta firmware updates to address Vulnerability-related.PatchVulnerability the vulnerability but simultaneously confirmed Vulnerability-related.DiscoverVulnerability that more routers than originally reported were vulnerable Vulnerability-related.DiscoverVulnerability . When reached Wednesday , a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out . Trustwave discloses Vulnerability-related.DiscoverVulnerability an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed .

Simon Kenin , a security researcher at Trustwave , was – by his own admission – being lazy the day he discovered Vulnerability-related.DiscoverVulnerability an authentication vulnerability in his Netgear router . Instead of getting up out of bed to address a connection problem , he started fuzzing the web interface and discovered Vulnerability-related.DiscoverVulnerability a serious issue . Kenin had hit upon unauth.cgi , code that was previously tied to two different exploits in 2014 for unauthenticated password disclosure flaws . The short version of the 2014 vulnerability is that an attacker can get unauth.cgi to issue a number that can be passed over to passwordrecovered.cgi in order to receive credentials . Kenin tested their exploits and was able to get his password . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . The following day he started gathering other Netgear devices to test . While repeating the process , he made an error , but that did n't prevent him from obtaining credentials . That accidental discovery Vulnerability-related.DiscoverVulnerability resulted in CVE-2017-5521 . `` After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , '' Kenin explained in a recent blog post . There are at least ten thousand devices online that are vulnerable Vulnerability-related.DiscoverVulnerability to the flaw that Kenin discovered Vulnerability-related.DiscoverVulnerability , but he says the real number could reach the hundreds of thousands , or even millions . `` The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing . However , anyone with physical access to a network with a vulnerable router can exploit it locally . This would include public Wi-Fi spaces like cafés and libraries using vulnerable equipment , '' Kenin wrote . Kenin reached out to Netgear and reported the problems , but it was no easy task . The first advisory listed 18 devices that were vulnerable Vulnerability-related.DiscoverVulnerability , followed by a second advisory detailing an additional 25 models . A few months later , in June 2016 , Netgear finally published an advisory that offered Vulnerability-related.PatchVulnerability a fix for a small subset of the vulnerable devices , and a workaround for others . Eventually , Netgear reported that they were going to fix Vulnerability-related.PatchVulnerability all the unpatched models . They also teamed up with Bugcrowd to improve their vulnerability handling process . Netgear has a status page on the vulnerability , they also provide a workaround for those who ca n't update their firmware yet . It was n't until after the story ran that the PR firm representing Trustwave and pitching the research named Simon Kenin as one who made the discovery Vulnerability-related.DiscoverVulnerability . Netgear issued a statement , downplaying the discovery some Vulnerability-related.DiscoverVulnerability , and reminding users that fixes are available Vulnerability-related.PatchVulnerability for most of the impacted devices . The emailed comments are reprinted below : NETGEAR is aware of the vulnerability ( CVE-2017-5521 ) , that has been recently publicized Vulnerability-related.DiscoverVulnerability by Trustwave . We have been working with the security analysts to evaluate the vulnerability . NETGEAR has published Vulnerability-related.DiscoverVulnerability a knowledge base article from our support page , which lists the affected routers and the available firmware fix Vulnerability-related.PatchVulnerability . Firmware fixes are currently available Vulnerability-related.PatchVulnerability for the majority of the affected devices . To download the firmware release that fixes Vulnerability-related.PatchVulnerability the password recovery vulnerability , click the link for the model and visit the firmware release page for further instructions .