Trustwave Find Multiple Vulnerabilities in NETGEAR Broadband Routers
Digital security specialist Trustwave has this evening detailed 5 recently discovered vulnerabilities in NETGEAR routers, which affects multiple models and this includes some of the more recent hardware (e.g. R/D8500). Time to patch your firmware.. again.
According to Trustwave’s SpiderLabs division, the vulnerabilities range from exploits that would allow an attacker to access administrative credentials (i.e. by manipulating a password recovery feature) to reading any file or executing any command on the device.
The risk is significant and if you own any of the following routers or broadband modem routers then it’s time to update the firmware. NETGEAR has already corrected the flaws ahead of this publication.
Advertisement
List of NETGEAR Routers At Risk
DGN2200v4
R6100
R6220
R6250
R6300v2
R6400
R6400v2
R6700
R6900
R6900P
R7000
R7000P
R7100LG
R7300DST
R7500
R7500v2
R7800
D7800
R7900
R8000
R8300
R8500
D8500
WNDR3400v3
WNDR4500v2
EX6200v2
Unfortunately this isn’t NETGEAR’s first rodeo and they, like many other manufacturers, have had to deal with quite a lot of problems over the past few years (examples here, here and here). As for the vulnerabilities themselves, they are as follows below.
The Five Vulnerabilities
TWSL2018-002: Password Recovery and File Access
Some routers allow arbitrary file reading from the device provided that the path to file is known. Total of 17 products are affected.
TWSL2018-003: Finding 1: Post-Authentication Command Injection
This one affects six products and reflects a root level OS command execution via the device_name parameter on the lan.cgi page, although the attack requires authentication.
TWSL2018-003: Finding 2: Authentication Bypass
This also affects large set of products (17) and is trivial to exploit. Authentication is bypassed if “&genie=1” is found within the query string.
TWSL2018-003: Chained Attack: Command Injection
This is a three-stage attack leveraging three separate issues: CSRF token recovery vulnerability and the two findings in TWSL2018-003. As a result, any user connected to the router can run OS commands as root on the device without providing any credentials.
TWSL2018-004: Command Injection Vulnerability on D7000, EX6200v2 and Some Routers
Only 6 products are affected, this allows to run OS commands as root during short time window when WPS is activated.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Q3 2017 Take-up Progress of the BDUK Superfast Broadband Rollout
Comments are closed