Netgear recommends urgent firmware upgrades for impacted routers.
On September 20, Netgear informed its customers about CVE-2021-40847, which details a Remote Code Execution vulnerability impacting some of the routers in its product line. They recommend firmware updates to remediate the problem. This vulnerability is urgent, considering Netgear routers are ubiquitous and are critical network infrastructure within small and home offices.
Security researcher Grimm disclosed the vulnerability impacting many Netgear routers. The vulnerability allows for Remote Code Execution (RCE) as root. The vulnerability exploits Circle, a parental control tool.
According to the researcher, the Circle Update Daemon that is exploited is enabled by default, despite Circle itself not being enabled by default. The update daemon being enabled means that the router is vulnerable whether or not the end user of the router enables or utilizes any of the Circle Functionality.
To exploit this vulnerability, the researcher created a Man In The Middle server that is inserted between the network uplink and the router. The MiTM server intercepts details about the router, then it sends a crafted packet informing the router to download malicious firmware updates. The firmware updates allowed the researcher to establish a root shell to the impacted router.
Netgear recommends updating the router firmware as soon as possible. Included below is a list of impacted router lines and the fixed firmware version. Please follow the instructions on the advisory, as firmware updates vary by device.
- R6400v2 fixed in firmware version 126.96.36.199
- R6700 fixed in firmware version 188.8.131.52
- R6700v3 fixed in firmware version 184.108.40.206
- R6900 fixed in firmware version 220.127.116.11
- R6900P fixed in firmware version 3.3.142_HOTFIX
- R7000 fixed in firmware version 18.104.22.168
- R7000P fixed in firmware version 22.214.171.124_HOTFIX
- R7850 fixed in firmware version 126.96.36.199
- R7900 fixed in firmware version 188.8.131.52
- R8000 fixed in firmware version 184.108.40.206
- RS400 fixed in firmware version 220.127.116.11
Depending on the Work From Home status of an environment, it is important to work with remote workers to ensure their routers are not impacted by this vulnerabilty.
Security Advisory by Netgear
Blog Post By Grimm