Easily Exploited Netgear Router Flaw Discovered

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
This affects the R6400, R7000, R8000, and possibly other models. The vulnerability can be exploited remotely and would grant an attacker full access to the router. Netgear was supposedly contacted about this four months ago, but the latest firmware does not fix the issue.

At least two Netgear routers, the R6400 and R7000, are vulnerable to a command injection flaw that is easy to exploit and could lead to the total takeover of the routers. …vulnerable routers can be infected by loading a malicious web page or advertisement. The technique, abusing an HTML IMG tag to issue a command to the router, has been seen many times before. …The flaw allows for many commands and total takeover of the router.
 
Sweet, maybe millions of Netgear routers will turn into DDOS and spam bots, then ISPs will finally start kicking infected or highly vulnerable hardware off the internet.
 
Last edited:
42315040.jpg
 
Last edited:
"a command injection flaw that is easy to exploit and could lead to the total takeover of the routers." yes yes and.........
 
Nice work Netgear. Plus side, all these (I think) also run Kong's DD-WRT builds, so even though they're not quite as dumbed down, they also aren't vulnerable to this.
 
Have this router. Woo! It's been a great router, but like all things wifi its bound to let me down someday.
 
Lets see how long it takes em to fix this...4 months and counting Netgear...hurry the eff up
 
PhaseNoise said:
Nice work Netgear. Plus side, all these (I think) also run Kong's DD-WRT builds, so even though they're not quite as dumbed down, they also aren't vulnerable to this.
Click to expand...

Correct.

Drop-down has all sorts of models, including the affected ones.
 
I run Asus Merlin firmware on my R7000 reasons like this is why I would never run stock netgear firmware!
 
Well, I own an older N3700 or something router and I have the DDWRT firmware installed on it. So, no worries here at least.
 
They were informed 4 months ago and didn't do crap. Guess only way to get them to fix it is to release the vulnerability into the wild.
 
krotch said:
They were informed 4 months ago and didn't do crap. Guess only way to get them to fix it is to release the vulnerability into the wild.
Click to expand...

It really bugs me when I see this, and it keeps happening more often it seems.
 
Thus the reason I made my own router using a low end PC and pfsense. Off the shelf router companies don't care about security. They care about cost and features. That's about it. The WPS flaw is FAR more of a security hole than this, and the router manufacturers haven't done squat about that.
 
PhaseNoise said:
Nice work Netgear. Plus side, all these (I think) also run Kong's DD-WRT builds, so even though they're not quite as dumbed down, they also aren't vulnerable to this.
Click to expand...

I just flashed mine to DD-WRT... perfect timing! :)

I will say my 802.11AC links are not as fast as the stock firmware.
 
If any router I own has support for OpenWRT, I switch them to it. I don't own any Netgear routers though, but if I did that'd be my choice. I have never liked the OEM firmware interfaces from the first time I've owned a consumer router.
 
I will have to check my router. If affected, I'm just gonna drop an EdgeRouter Lite in and piggyback the NetGear router off of it for guest wireless.
 
krotch said:
They were informed 4 months ago and didn't do crap. Guess only way to get them to fix it is to release the vulnerability into the wild.
Click to expand...

I don't understand this thinking at all.

Company X has sold 1 million routers with a known flaw. Although all 1 million routers are vulnerable, perhaps as few as 1,000 will actually experience a problem. Of that 1000, perhaps as few as 100 will actually suffer any great inconvenience, anything more than simply replacing the router with one from a better company. Yet under this level of risk, you seem to think that increasing the risk substantially is a proper course of action over a $45 dollar piece of gear?

Now I know my numbers were just pulled out of my ass but so what, multiply them by ten is it really any different?\
 
lcpiper said:
I don't understand this thinking at all.

Company X has sold 1 million routers with a known flaw. Although all 1 million routers are vulnerable, perhaps as few as 1,000 will actually experience a problem. Of that 1000, perhaps as few as 100 will actually suffer any great inconvenience, anything more than simply replacing the router with one from a better company. Yet under this level of risk, you seem to think that increasing the risk substantially is a proper course of action over a $45 dollar piece of gear?

Now I know my numbers were just pulled out of my ass but so what, multiply them by ten is it really any different?\
Click to expand...

Or someone could use shodan and then write a script to target all 1m+ affected devices.. Also, my router which was vulnerable to this exploit cost around $200, not $45.
 
lcpiper said:
I don't understand this thinking at all.

Company X has sold 1 million routers with a known flaw. Although all 1 million routers are vulnerable, perhaps as few as 1,000 will actually experience a problem. Of that 1000, perhaps as few as 100 will actually suffer any great inconvenience, anything more than simply replacing the router with one from a better company. Yet under this level of risk, you seem to think that increasing the risk substantially is a proper course of action over a $45 dollar piece of gear?

Now I know my numbers were just pulled out of my ass but so what, multiply them by ten is it really any different?\
Click to expand...

Actually my routers is $200 and is designed for a higher level of home owner. I would have expected them to work with the person who found the flaw and work towards closing the hole without anyone knowing. Instead, they more than likely just sat on it and didn't plan to do anything with it.

So you could have had an open risk forever or have a higher level of risk for a short amount of time, while they get rid of the risk all together.

I'm guessing you'd much rather always have that risk and not have it closed then. Is that your thinking?
 
Ocellaris said:
Sweet, maybe millions of Netgear routers will turn into DDOS and spam bots, then ISPs will finally start kicking infected or highly vulnerable hardware off the internet.
Click to expand...
We all should be monitored. ISP's need to be a police force, eh?

I think there is a better somewhat less draconian approach and that is re-implementing the class action lawsuit and breathing some life back into product liability.
 
krotch said:
Instead, they more than likely just sat on it and didn't plan to do anything with it.........................................
Click to expand...

And they couldn't be looking at those routers and saying to themselves that they are yesterdays technology, already surpassed by what you paid $200 for, and they intend to replace in their product line for $75 ?

Why does anything think that if this company doesn't see a good reason to "fix" an existing product that releasing a vulnerability, (which exists whether widely known or not), will somehow force the company to do so?

They are not going to fix something that isn't still being sold or is soon to be replaced. That's just throwing money away. If they did anything at all, they might offer owners of the old routers a discount on the new ones.


So you could have had an open risk forever or have a higher level of risk for a short amount of time, while they get rid of the risk all together.
Click to expand...

This is stupid thinking. The only thing this will accomplish is increasing the risk for the owners of the products and that is it. It will not compel the company to close the risk.
 
lcpiper said:
And they couldn't be looking at those routers and saying to themselves that they are yesterdays technology, already surpassed by what you paid $200 for, and they intend to replace in their product line for $75 ?

Why does anything think that if this company doesn't see a good reason to "fix" an existing product that releasing a vulnerability, (which exists whether widely known or not), will somehow force the company to do so?

They are not going to fix something that isn't still being sold or is soon to be replaced. That's just throwing money away. If they did anything at all, they might offer owners of the old routers a discount on the new ones.




This is stupid thinking. The only thing this will accomplish is increasing the risk for the owners of the products and that is it. It will not compel the company to close the risk.
Click to expand...

Netgear is a networking company selling the ideas of security and ease of use to people. If they let current products (which these are) go unpatched because they will soon have replacement, this would greatly damage their reputation. These aren't decade old products that now have flaws, these are high volume sellers in the current line up.
 
Ocellaris said:
Netgear is a networking company selling the ideas of security and ease of use to people. If they let current products (which these are) go unpatched because they will soon have replacement, this would greatly damage their reputation. These aren't decade old products that now have flaws, these are high volume sellers in the current line up.
Click to expand...

Exactly. The R7000 is still selling at $200, the R8000 is still selling for $275. They are actively being sold at all the big box stores. Icpiper, train of thought is akin to Apple telling people to go buy an iPhone SE because a customer's iPhone 5s iCloud lock can be bypassed (they don't sell the 5S anymore but it's almost identical to the SE).
 
Ocellaris said:
Netgear is a networking company selling the ideas of security and ease of use to people. If they let current products (which these are) go unpatched because they will soon have replacement, this would greatly damage their reputation. These aren't decade old products that now have flaws, these are high volume sellers in the current line up.
Click to expand...

I just want to point out one thing at the moment but I will continue reading up on this.

Documentation on the flaw, so far, has been poor. Most importantly, it's not clear, to me at least, whether the vulnerability can be exploited remotely, from the LAN side of the router or both.
Click to expand...

EDITED: Well, it seems the author doesn't know enough about this stuff although he did know to link to cert.org on it.

By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:

http://<router_IP>/cgi-bin/;COMMAND

An exploit demonstrating these vulnerabilities has been publicly disclosed.
Click to expand...
https://www.kb.cert.org/vuls/id/582384

From what I am seeing, for this vulnerability to be taken advantage of, either a LAN side user can manually enter (inject) command code, or a LAN side user must access a website that exploits the vulnerability or perhaps some other form or redirection could send a user to a site that exploits the vulnerability.

Still, the Cert says the best fix is to stop using these routers until there is a fix.

Here are the dates related to this vulnerability;
Other Information
  • CVE IDs: Unknown
  • Date Public: 07 Dec 2016
  • Date First Published: 09 Dec 2016
  • Date Last Updated: 14 Dec 2016
Click to expand...

This story was first published on the 10th, 3 days after it was officially made public, and the story was last updated on the 13th, and this cert page was last updated on the 14th, today.

This page says that the Cert notified NetGear on the 9th, the same date that the cert posted this vulnerability page.

The Vulnerability ID is VU#582384


I just went to NetGear's support site and checked the latest firmware and found a Beta version;
http://kb.netgear.com/000036454/R6400-Firmware-Version-1-0-1-18-Beta

The documentations says;

Bug Fixes:

  • Fixed the security issue about Security Advisory VU 582384.
Click to expand...


Go update your firmware if this is a problem.
 
Last edited:
This attack only applies to people who are actually using these devices as routers correct? I have several of these devices, but in every case I have a separate stand-alone router handing the internet connection, and the Netgear device is being used only as an access point. The Netgear configuration page is still accessible though, configured by me with a manual IP, so that I can change wireless settings when needed.
 
Like I said, if this effects you go download the new firmware from NetGear that fixes the problem.

Were pissing in each others' ears and the new firmware is out.
 
S-F said:
What's the point of buying a $200 router just to use it as an WAP?
Click to expand...

Because they barely even sell dedicated WAPs anymore and when they do it's not like you get a discount for not having the router hardware inside. The vast majority of the cost for these devices is for the wireless functionality. I get a better router using PFsense on old hardware dug out of my closet.
 
You must log in or register to reply here.
Back
Top