UPDATE Modern NETGEAR Routers Hit by Command Injection Vulnerability
Do you own a modern NETGEAR broadband router (i.e. R6200, R6400, R6700, R7000, R7100LG, R7300, R7900 and R8000)? If so then we’ve got bad news because a major security flaw, which was first identified and notified to the manufacturer in August 2016, still hasn’t been completely fixed.
The vulnerability, which has been described as “trivial” for a hacker to exploit, stems from the fact that NETGEAR’s kit doesn’t do a very good job of filtering out remote commands that have been sent via the Internet or even via your own Local Area Network (LAN).
As a result the hacker can easily gain access and then full control of the router, which has all kinds of security and privacy implications for any traffic that goes over your network.
Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier, and R8000, firmware version 1.0.3.4_1.1.2 and possibly earlier, contain an arbitrary command injection vulnerability.
By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
http:///cgi-bin/;COMMAND
An exploit demonstrating these vulnerabilities has been publicly disclosed.
Netgear’s advisory confirms that the R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated that their advisory will be updated as firmware updates are released.
The new exploit doesn’t require any sort of authentication and can work even when the device’s remote management feature is not visible to the Internet. In essence all the hacker has to do is get you to visit a website and this then runs the code that opens you up to a world of hurt.
Happily a beta firmware update has been released that can fix the issue on most of NETGEAR’s router models, but this doesn’t yet include the slightly older D6220, D6400, R6900 or D7000 series.
Many of the affected routers from NETGEAR are quite modern, particularly the R8000 “Nighthawk” series that has received plenty of glowing reviews. Admittedly any router can suffer from security exploits, although it’s usually much more common for such issues to affect older models (e.g. those that are no longer being supported) than the very latest kit.
A temporary fix does exist for those models that haven’t yet been updated, but it requires a little bit of technical knowledge.
UPDATE 20th Dec 2016
NETGEAR has now released a patch for all of the relevant models.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« Haitong Research Warns Openreach “cannot be legally separated” from BT
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Well at least they are fixing it, I don’t think they ever fixed the password bypass vulnerability or shell access vulnerabilities in their DG834 series (G,GT,N) of routers, when they were a current model which similarly only required a victim to visit a website to have the router hacked.
Rather neatly it was possible to remotely inject a shell script into the router NVR that would run every time they were rebooted, so I was tempted at the time to release a fix that didn’t require a firmware update.
Although the password bypass vulnerability in the Sky dg834gt version was fixed by updated Sky firmware, probably by chance as it didn’t need the setup feature.