CVE-2021-40847 flaw in Netgear SOHO routers could allow remote code execution

CVE-2021-40847 flaw in Netgear SOHO routers could be exploited by a remote attacker to execute arbitrary code as root.

Security experts from consulting firm GRIMM have discovered a vulnerability in Small Offices/Home Offices (SOHO) Netgear routers that could be exploited by a remote attacker to execute arbitrary code as root

The flaw, tracked as CVE-2021-40847, resides in the source of a third-party component included in the firmware of many Netgear devices. This code is part of Circle, which is used to implement parental control features to these devices. The experts noticed that this code runs as root, for this reason, the exploitation of the flaw could allow executing code as root.

The flaw resides in the Circle update daemon that is enabled by default, even the users haven’t configured their router to use the parental control features.

The daemon connects to Circle and Netgear to obtain version information and updates to the circled daemon and its filtering database. Experts noticed that database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP), allowing the attacker to carry out a MitM attack on the device.

“This daemon connects to Circle and Netgear to obtain version information and updates to the circled daemon and its filtering database. However, database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP).” reads the post published by GRIMM. “As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a specially-crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code.”

“To exploit the vulnerability, the attacker must be must be able to intercept and modify the router’s network traffic. For the specific DNS-based MITM attack used above, the attacker must race DNS queries from the Circle update daemon. If the attacker wins one of these races, which can be done reliably with the PoC exploit written by GRIMM, code execution is trivial to obtain. Other MitM attacks that do not rely on DNS manipulation will also allow an attacker to exploit this vulnerability.”

The experts developed a Proof of Concept (PoC) for this issue and successfully tested it against the Netgear R7000.

Below is the list of vulnerable devices:

  • R6400v2 – 1.0.4.106
  • R6700 – 1.0.2.16
  • R6700v3 – 1.0.4.106
  • R6900 – 1.0.2.16
  • R6900P – 1.3.2.134
  • R7000 – 1.0.11.123
  • R7000P – 1.3.2.134
  • R7850 – 1.0.5.68
  • R7900 – 1.0.4.38
  • R8000 – 1.0.4.68
  • RS400 – 1.5.0.68

GRIMM recommends to update the devices to the latest firmware versions, it also provides mitigations such as disabling the vulnerable component or using virtual private network (VPN) clients to encrypt all network traffic and prevent MitM attacks.

“For many organizations, SOHO devices typically fly under the radar when it comes to cybersecurity risk management. However, the significant increase in employees remotely connecting to corporate networks (e.g. due to updated work-from-home policies brought into practice as a result of Covid-19) has similarly increased the risk to corporate networks from vulnerabilities in SOHO devices.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SOHO)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.