79 Netgear router models affected by a dangerous Zero-day

79 Netgear router models are vulnerable to a severe unpatched security vulnerability that can be exploited by remote attackers to take over devices.

Security experts Adam Nichols from GRIMM and d4rkn3ss from the Vietnamese internet service provider VNPT have independently reported a severe unpatched security vulnerability that affects 79 Netgear router models.

The flaw could allow remote attackers to execute arbitrary code as “root” on the vulnerable devices and potentially take over them. The security experts reported the vulnerability to the vendor early this year.

A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.

Nichols discovered that the vulnerability affects 758 different firmware versions that run on 79 Netgear routers. Oldest firmware versions have been released as far back as 2007.

The researcher was analyzing Small Office/Home Office (SOHO) devices and focused its auditing session on the Netgear R7000 router. 

The expert discovered the vulnerability in the web server component that is implemented in vulnerable Netgear router firmware.

“In SOHO devices like the R7000, the web server must parse user input from the network and run complex CGI functions that use that input. Furthermore, the web server is written in C and has had very little testing, and thus it is often vulnerable to trivial memory corruption bugs. As such, I decided to start by analyzing the web server, httpd.” reads the analysis published by GRIMM. “However, poor code quality and a lack of adequate testing has resulted in thousands of vulnerable SOHO devices being exposed to the internet for over a decade.”

GRIMM also discovered that the web server used in the router fails in validating the input provided by the user, lack of stack cookies, and the server’s binary is not compiled as a Position-independent Executable (PIE) failing to implement the ASLR (address space layout randomization) security technique.

Hackers could exploit the above issues by sending specially crafted malicious HTTP requests. Nichols also published a proof-of-concept exploit that automatically determines the SOHO device model/version and then exploit it to start telnet on TCP Port 8888. 

Both Nichols and d4rkn3ss have now shared details about the flaw via the Zero-Day Initiative after having agreed with Netgear to give it the time to understand the impact of the issue on all its models.

It seems that the vendor requested a second extension until the end of June, but ZDI declined the request and notified the vendor the case would be published as 0-day on 06/15/20.

The bad news is that the vendor also will address the flaw for some of the affected routers because some families of devices have already reached the end-of-life.

Below is the list of all the affected models.

AC1450
D6220
D6300
D6400
D7000v2
D8500
DC112A
DGN2200
DGN2200v4
DGN2200M
DGND3700
EX3700
EX3800
EX3920
EX6000
EX6100
EX6120
EX6130
EX6150
EX6200
EX6920
EX7000
LG2200D
MBM621
MBR624GU
MBR1200
MBR1515
MBR1516
MBRN3000
MVBR1210C
R4500
R6200
R6200v2
R6250
R6300
R6300v2
R6400
R6400v2
R6700
R6700v3
R6900
R6900P
R7000
R7000P
R7100LG
R7300
R7850
R7900
R8000
R8300
R8500
RS400
WGR614v8
WGR614v9
WGR614v10
WGT624v4
WN2500RP
WN2500RPv2
WN3000RP
WN3100RP
WN3500RP
WNCE3001
WNDR3300
WNDR3300v2
WNDR3400
WNDR3400v2
WNDR3400v3
WNDR3700v3
WNDR4000
WNDR4500
WNDR4500v2
WNR834Bv2
WNR1000v3
WNR2000v2
WNR3500
WNR3500v2
WNR3500L
WNR3500Lv2
XR300

ZDI provided the following mitigation for the issue:

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.” reads the ZDI’s advisory. “This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – routers, SOHO)

[adrotate banner=”5″]

[adrotate banner=”13″]