NETGEAR Broadband Routers Exposed to New Security Bug

A large number of NETGEARs broadband and WiFi routers have been left vulnerable to a new Remote Code Execution (RCE) exploit, which works by allowing a hacker to manipulate the update process for each device’s Circle Smart Parental Control Service in order to gain control of the router.

The parental control service itself is NOT enabled by default on the company’s routers, but this doesn’t mean that owners who don’t use it are safe because the Circle update daemon itself is enabled by default. This daemon connects to Circle and Netgear to obtain updates for its filtering database, but NETGEAR sends those updates out as unsigned and via an unencrypted HTTP transfer.

In this case, a Man in the Middle (MitM) style attack was developed that can respond to circled update requests with a specially-crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code (i.e. they can gain root access to the router).

A Proof of Concept (PoC) attack for this was developed for and tested against the Netgear R7000 router by GRIMM, but the issue also impacts other models including the R6400v2, R6700, R6700v3, R6900, R6900P, R7000P, R7850, R7900, R8000 and RS400. However, an attacker would need to be connected to a network with one of these routers installed, either locally or via a remote connection, in order to carry out the hack.

The good news is that NETGEAR have already released a new firmware patch for the affected models (Credits to Steve for spotting this), while GRIMM recommends the provisioning and use of Virtual Private Network (VPN) clients for those who can’t yet patch (these should be configured to handle all traffic to ensure that an attacker cannot read or modify network traffic in a way that cannot be detected by the VPN endpoints).