US-CERT Officially Advises Netgear Router Owners to Check for Security Flaws

THE US-CERT team has advised Netgear owners of several routers to discontinue their use until the vendor releases a security patch, to check if you are affected and to learn more about the issue continue reading our article.

Netgear Released Updated Firmware That Resolved The Issue

The company has updated the firmware of the affected devices. The new releases are compatible with the R6400 (firmware version 1.0.1.18), R7000 (firmware version 1.0.7.6) and R8000 (firmware version 1.0.3.26) models of the 8XXX line.
In addition beta packages are also available for some other models including:

  • R6250 (firmware version 1.0.4.6)
  • R6700 (firmware version 1.0.1.14)
  • R6900 (firmware version 1.0.1.14)
  • R7100LG (firmware version 1.0.0.28)
  • R7300DST (firmware version 1.0.0.46)
  • R7900 (firmware version 1.0.1.8)

The image files are now available on Netgear’s official site.

US-CERT Warns Netgear Router Owners to Stop Using Them

The US-CERT team has officially recommended the discontinuation of use of several Netgear routers which have been identified to posses critical security vulnerabilities. The organization has warned the users that the R7000 and R6400 router series and possibly other models as well are vulnerable to dangerous arbitrary command injection attacks. A publicly disclosed exploit of the bug was published on December 6 2016 and Netgear has not yet released a new firmware to fix the problem.

The official advisory is named as A publicly disclosed exploit of the bug was published on December 7 2016 and Netgear has not yet released a new firmware to fix the problem. . According to the description the issue is due to the following:

Vulnerability Note VU#582384
Multiple Netgear routers are vulnerable to arbitrary command injection
Original Release date: 09 Dec 2016 | Last revised: 11 Dec 2016
Overview
Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection.
Description
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:

http:///cgi-bin/;COMMAND

This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 1.0.3.4_1.1.2, is vulnerable. Other models may also be affected.

To be affected by the issue the router owners need to visit a specially crafted site. The remote attackers upon triggering of the issue may execute arbitrary commands with root privileges on the affected devices.

As a consequnce using the following command the attackers can open a telnet service on port 45:

http://RouterIP/;telnetd$IFS-p$IFS’45’ will open telnet on port 45.

A temporary workaround is to disable the web server interface of the Netgear routers by issuing the following command:

http:///cgi-bin/;killall$IFS’httpd’

This solution works until the device is restarted.

The security engineer known as Acew0rm has posted a Youtube video along with a GitGub code which allows router owners to check if their device is vulnerable.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *