Netgear is releasing security patches to address ten vulnerabilities affecting nearly 80 of its products. Some of the vulnerabilities were discovered during the Pwn2Own Tokyo 2019 hacking contest and reported through the Zero Day Initiative (ZDI). The researchers earned a total of $25,000 for reporting them.
Netgear published the list of impacted products, it includes routers, mobile routers, modems, gateways and extenders. Some of the products have reached end of life (EOL), this means that the vendor will not release security updates the fix for these flaws.
Four of flaws have been rated high severity, they can be exploited by an unauthenticated attacker with network access to the vulnerable Netgear device to execute arbitrary code with admin or root privileges, and to bypass authentication.
ZDI reported the flaws to the vendor in November 2019, January and February 2020. Netgear asked ZDI to extend the public disclosure deadline for two times to have more time to address the flaws. Unfortunately the second time, ZDI did not accept the proposal to postpone the public disclosure of the issues and published a series of advisories.
“Multiple Netgear router models contain vulnerabilities that a remote attacker can exploit to take control of an affected device.” reads the CISA alert.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update to the most recent firmware version and to replace end-of-life devices that are no longer supported with security patches.”
The CERT/CC also published a security advisory related to one of the above vulnerabilities that can be exploited by an unauthenticated attacker to gain remote code execution with root privileges.
“Multiple Netgear devices contain a stack buffer overflow in the httpd web server’s handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges.” states the CERT/CC.
“This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 routers. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI.
“The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.”
Netgear already released security updates for 28 devices.
(SecurityAffairs – hacking, Netgear)