Netgear router security flaws finally patched after six months
Netgear has issued patches to fix security vulnerabilities in two of its routers which can be exploited by an attacker to take full control of the devices remotely.
The two devices that have received patches are the R6400v2 and R6700v3. However, 77 of Netgear’s other routers reportedly still remain vulnerable to a zero-day vulnerability that was reported to the company back in January of this year.
The vulnerability, which lies in the HTTPD daemon used to manage the routers, was discovered independently by both Grimm’s Adam Nichols and d4rkn3ss from Vietnam’s VNPT ISC through the Zero Day Initiative (ZDI).
ZDI has released a report that includes some information about the vulnerability while Nichols has written a lengthy blog post describing it in detail, a Proof of Concept (PoC) exploit and even scripts to find vulnerable routers online.
Zero-day vulnerability
Based on the reports about the vulnerability, affected router models have an HTTPD daemon which does not adequately check the length of data supplied by a user and this allows an attacker to create a buffer overflow when data is copied to a fixed-length variable.
To exploit the flaw in Netgear’s routers, an attacker would need to create a specially crafted string capable of executing commands on the device without having to authenticate first. In his blog post, Nichols explained that while stack cookies would normally be able to mitigate this vulnerability, many of Netgear’s routers don’t use them, saying:
“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 use stack cookies. However, later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable.”
By default, the HTTPD Daemon these routers is only accessible via LAN, although router admins can enable it so it can be accessed remotely over the internet. However, attackers can still create malicious websites using JavaScript to perform DNS rebinding attacks which would allow them to execute commands remotely on routers that are not accessible over the internet.
If you have Netgear’s R6400v2 or R6700v3 router you can download hot-fixes for the vulnerability now but if you have one of the 77 other affected routers, you’re out of luck until the company releases patches for them.
Via BleepingComputer