Yet another vulnerability in a SOHO broadband router that flew under the radar is starting to cause trouble in the wild.

The authentication bypass in Netgear's WNR1000v4 device is documented here by Compass Security and in more detail by Shellshock Labs here.

The short version, from Compass, is this: “an attacker can access the administration interface of the router without submitting any valid username and password, just by requesting a special URL several times”.

The URL? It's the one indicating a successful login to the admin page – after trying to login without the right credentials and failing, the attacker just needs to hit http://<ROUTER-IP>/BRS_netgear_success.html “multiple times”, and the router will roll over and grant access.

Compass says Netgear was first notified in July, and that Shellshock decided on its disclosure at the end of September when Netgear declined to nominate a release date for a patch.

That changed when the press got involved. The BBC published this piece last Friday (October 9), including digging up a victim of the vulnerability, and the company managed to scramble a response – a patch is due October 14 (presumably UK time).

If users have Netgear's genie app, or if they try to log into their router admin page, they will be prompted to update their firmware. Otherwise, of course, the only way users will know is if they happen to read about the issue in the media. ®

Update: Netgear's patch is now available, here. The company told Vulture South it's notifying customers of the new firmware, and adds that remote admin access should be disabled and default passwords changed. ®