Pierluigi Paganini September 23, 2021

CVE-2021-40847 flaw in Netgear SOHO routers could be exploited by a remote attacker to execute arbitrary code as root.

Security experts from consulting firm GRIMM have discovered a vulnerability in Small Offices/Home Offices (SOHO) Netgear routers that could be exploited by a remote attacker to execute arbitrary code as root

The flaw, tracked as CVE-2021-40847, resides in the source of a third-party component included in the firmware of many Netgear devices. This code is part of Circle, which is used to implement parental control features to these devices. The experts noticed that this code runs as root, for this reason, the exploitation of the flaw could allow executing code as root.

The flaw resides in the Circle update daemon that is enabled by default, even the users haven’t configured their router to use the parental control features.

The daemon connects to Circle and Netgear to obtain version information and updates to the circled daemon and its filtering database. Experts noticed that database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP), allowing the attacker to carry out a MitM attack on the device.

“This daemon connects to Circle and Netgear to obtain version information and updates to the circled daemon and its filtering database. However, database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP).” reads the post published by GRIMM. “As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a specially-crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code.”

“To exploit the vulnerability, the attacker must be must be able to intercept and modify the router’s network traffic. For the specific DNS-based MITM attack used above, the attacker must race DNS queries from the Circle update daemon. If the attacker wins one of these races, which can be done reliably with the PoC exploit written by GRIMM, code execution is trivial to obtain. Other MitM attacks that do not rely on DNS manipulation will also allow an attacker to exploit this vulnerability.”

The experts developed a Proof of Concept (PoC) for this issue and successfully tested it against the Netgear R7000.

Below is the list of vulnerable devices:

• R6400v2 – 1.0.4.106
• R6700 – 1.0.2.16
• R6700v3 – 1.0.4.106
• R6900 – 1.0.2.16
• R6900P – 1.3.2.134
• R7000 – 1.0.11.123
• R7000P – 1.3.2.134
• R7850 – 1.0.5.68
• R7900 – 1.0.4.38
• R8000 – 1.0.4.68
• RS400 – 1.5.0.68

GRIMM recommends to update the devices to the latest firmware versions, it also provides mitigations such as disabling the vulnerable component or using virtual private network (VPN) clients to encrypt all network traffic and prevent MitM attacks.

“For many organizations, SOHO devices typically fly under the radar when it comes to cybersecurity risk management. However, the significant increase in employees remotely connecting to corporate networks (e.g. due to updated work-from-home policies brought into practice as a result of Covid-19) has similarly increased the risk to corporate networks from vulnerabilities in SOHO devices.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SOHO)

[adrotate banner=”5″]

[adrotate banner=”13″]