Vulnerabilities in 79 Netgear router models allows attackers to run code as “root”
Netgear Inc. is a multinational computer networking company based in San Jose, California, with offices in about 25 other countries. It produces networking hardware for consumers, businesses, and service providers. The company operates in three business segments: retail, commercial, and as a service provider.
Two security researchers found that 79 Netgear router models are vulnerable and allow attackers to run code as “root”. Adam Nichols and d4rkn3ss are the two researchers that found the bug in the routers.
According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.
Routers and modems often form an important security border that prevents attackers from directly exploiting the computers in a network. However, poor code quality and a lack of adequate testing have resulted in thousands of vulnerable SOHO devices being exposed to the internet for over a decade.
The GRIMM security researcher says the server doesn’t properly validate user input, doesn’t use “stack cookies” (aka canaries) to protect its memory, and the server’s binary is not compiled as a Position-independent Executable (PIE), meaning ASLR (address space layout randomization) is never applied.
As the vulnerability occurs before the Cross-Site Request Forgery (CSRF) token is checked, this exploit can also be served via a CSRF attack. If a user with a vulnerable router browses to a malicious website, that website could exploit the user’s router. The developed exploit demonstrates this ability by serving an HTML page which sends an AJAX request containing the exploit to the target device.
However, as the CSRF web page cannot read any responses from the target server, it is not possible to remotely fingerprint the device. Rather, the attacker must know the model and version that they are exploiting.
Nichols shared proof of exploit on GitHub and said he was able to “start the [router’s] telnet daemon as root listening on TCP port 8888 and not requiring a password to log in.”
The researchers later informed Netgear about the bug and suggested to solve them as soon as possible. As you can see the broadness of the vulnerabilities that it must be affecting millions of users using these 79 Netgear routers and a huge amount of work needed to produce and test a patch for all devices. The company will soon launch the patches for its models, however, all the models are not expected to be patched as some of them have gone end-of-life many years before.
Here is the list of 79 Netgear routers that are affected by the vulnerable version of the webserver.
AC1450 D6220 D6300 D6400 D7000v2 D8500 DC112A DGN2200 DGN2200v4 DGN2200M DGND3700 EX3700 EX3800 EX3920 EX6000 EX6100 EX6120 EX6130 EX6150 EX6200 EX6920 EX7000
LG2200D MBM621 MBR624GU MBR1200 MBR1515 MBR1516 MBRN3000 MVBR1210C R4500 R6200
R6200v2 R6250 R6300 R6300v2 R6400 R6400v2 R6700 R6700v3 R6900 R6900P R7000 R7000P
R7100LG R7300 R7850 R7900 R8000 R8300 R8500 RS400 WGR614v8 WGR614v9 WGR614v10 WGT624v4 WN2500RP WN2500RPv2 WN3000RP WN3100RP WN3500RP WNCE3001 WNDR3300 WNDR3300v2 WNDR3400 WNDR3400v2 WNDR3400v3 WNDR3700v3 WNDR4000 WNDR4500 WNDR4500v2 WNR834Bv2 WNR1000v3 WNR2000v2 WNR3500 WNR3500v2 WNR3500L WNR3500Lv2 XR300
For more news on tech and cybersecurity subscribe to our newsletter from here