THE US-CERT team has advised Netgear owners of several routers to discontinue their use until the vendor releases a security patch, to check if you are affected and to learn more about the issue continue reading our article.
Netgear Released Updated Firmware That Resolved The Issue
The company has updated the firmware of the affected devices. The new releases are compatible with the R6400 (firmware version 188.8.131.52), R7000 (firmware version 184.108.40.206) and R8000 (firmware version 220.127.116.11) models of the 8XXX line.
In addition beta packages are also available for some other models including:
- R6250 (firmware version 18.104.22.168)
- R6700 (firmware version 22.214.171.124)
- R6900 (firmware version 126.96.36.199)
- R7100LG (firmware version 188.8.131.52)
- R7300DST (firmware version 184.108.40.206)
- R7900 (firmware version 220.127.116.11)
The image files are now available on Netgear’s official site.
US-CERT Warns Netgear Router Owners to Stop Using Them
The US-CERT team has officially recommended the discontinuation of use of several Netgear routers which have been identified to posses critical security vulnerabilities. The organization has warned the users that the R7000 and R6400 router series and possibly other models as well are vulnerable to dangerous arbitrary command injection attacks. A publicly disclosed exploit of the bug was published on December 6 2016 and Netgear has not yet released a new firmware to fix the problem.
The official advisory is named as A publicly disclosed exploit of the bug was published on December 7 2016 and Netgear has not yet released a new firmware to fix the problem. . According to the description the issue is due to the following:
Vulnerability Note VU#582384
Multiple Netgear routers are vulnerable to arbitrary command injection
Original Release date: 09 Dec 2016 | Last revised: 11 Dec 2016
Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection.
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Netgear R7000, firmware version 18.104.22.168_1.1.93 and possibly earlier, and R6400, firmware version 22.214.171.124_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 126.96.36.199_1.1.2, is vulnerable. Other models may also be affected.
To be affected by the issue the router owners need to visit a specially crafted site. The remote attackers upon triggering of the issue may execute arbitrary commands with root privileges on the affected devices.
As a consequnce using the following command the attackers can open a telnet service on port 45:
http://RouterIP/;telnetd$IFS-p$IFS’45’ will open telnet on port 45.
A temporary workaround is to disable the web server interface of the Netgear routers by issuing the following command:
This solution works until the device is restarted.
The security engineer known as Acew0rm has posted a Youtube video along with a GitGub code which allows router owners to check if their device is vulnerable.