Security experts Adam Nichols from GRIMM and d4rkn3ss from the Vietnamese internet service provider VNPT have independently reported a severe unpatched security vulnerability that affects 79 Netgear router models.
The flaw could allow remote attackers to execute arbitrary code as “root” on the vulnerable devices and potentially take over them. The security experts reported the vulnerability to the vendor early this year.
A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.
Nichols discovered that the vulnerability affects 758 different firmware versions that run on 79 Netgear routers. Oldest firmware versions have been released as far back as 2007.
The researcher was analyzing Small Office/Home Office (SOHO) devices and focused its auditing session on the Netgear R7000 router.
The expert discovered the vulnerability in the web server component that is implemented in vulnerable Netgear router firmware.
“In SOHO devices like the R7000, the web server must parse user input from the network and run complex CGI functions that use that input. Furthermore, the web server is written in C and has had very little testing, and thus it is often vulnerable to trivial memory corruption bugs. As such, I decided to start by analyzing the web server, httpd.” reads the analysis published by GRIMM. “However, poor code quality and a lack of adequate testing has resulted in thousands of vulnerable SOHO devices being exposed to the internet for over a decade.”
GRIMM also discovered that the web server used in the router fails in validating the input provided by the user, lack of stack cookies, and the server’s binary is not compiled as a Position-independent Executable (PIE) failing to implement the ASLR (address space layout randomization) security technique.
Hackers could exploit the above issues by sending specially crafted malicious HTTP requests. Nichols also published a proof-of-concept exploit that automatically determines the SOHO device model/version and then exploit it to start telnet on TCP Port 8888.
Both Nichols and d4rkn3ss have now shared details about the flaw via the Zero-Day Initiative after having agreed with Netgear to give it the time to understand the impact of the issue on all its models.
It seems that the vendor requested a second extension until the end of June, but ZDI declined the request and notified the vendor the case would be published as 0-day on 06/15/20.
The bad news is that the vendor also will address the flaw for some of the affected routers because some families of devices have already reached the end-of-life.
Below is the list of all the affected models.
ZDI provided the following mitigation for the issue:
“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.” reads the ZDI’s advisory. “This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”
(SecurityAffairs – routers, SOHO)