By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Netgear Warns Certain Routers Impacted by Remote Code Execution Vulnerability

Netgear recommends urgent firmware upgrades for impacted routers.

Background

On September 20, Netgear informed its customers about CVE-2021-40847, which details a Remote Code Execution vulnerability impacting some of the routers in its product line. They recommend firmware updates to remediate the problem. This vulnerability is urgent, considering Netgear routers are ubiquitous and are critical network infrastructure within small and home offices.

Vulnerability Details

Security researcher Grimm disclosed the vulnerability impacting many Netgear routers. The vulnerability allows for Remote Code Execution (RCE) as root. The vulnerability exploits Circle, a parental control tool.

According to the researcher, the Circle Update Daemon that is exploited is enabled by default, despite Circle itself not being enabled by default. The update daemon being enabled means that the router is vulnerable whether or not the end user of the router enables or utilizes any of the Circle Functionality.

To exploit this vulnerability, the researcher created a Man In The Middle server that is inserted between the network uplink and the router. The MiTM server intercepts details about the router, then it sends a crafted packet informing the router to download malicious firmware updates. The firmware updates allowed the researcher to establish a root shell to the impacted router.

Mitigation

Netgear recommends updating the router firmware as soon as possible. Included below is a list of impacted router lines and the fixed firmware version. Please follow the instructions on the advisory, as firmware updates vary by device.

  • R6400v2 fixed in firmware version 1.0.4.120 
  • R6700 fixed in firmware version 1.0.2.26 
  • R6700v3 fixed in firmware version 1.0.4.120 
  • R6900 fixed in firmware version 1.0.2.26 
  • R6900P fixed in firmware version 3.3.142_HOTFIX 
  • R7000 fixed in firmware version 1.0.11.128 
  • R7000P fixed in firmware version 1.3.3.142_HOTFIX 
  • R7850 fixed in firmware version 1.0.5.76 
  • R7900 fixed in firmware version 1.0.4.46 
  • R8000 fixed in firmware version 1.0.4.76 
  • RS400 fixed in firmware version 1.5.1.80 

Depending on the Work From Home status of an environment, it is important to work with remote workers to ensure their routers are not impacted by this vulnerabilty.
 

Resources

Security Advisory by Netgear
https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204

Blog Post By Grimm
https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html

NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2021-40847

CISA Advisory
https://us-cert.cisa.gov/ncas/current-activity/2021/09/21/netgear-releases-security-updates-rce-vulnerability

Previous Post

Microsoft’s September 2021 Patch Tuesday closes OMIGOD vulnerability which allows RCE on Azure Linux VMs

Next Post

PoC Released For New VMware vCenter Vulnerability

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.