Netgear users advised to stop using affected routers after severe flaw found

[kamrananvaar]

Anyone can exploit the flaw after the exploit code was published.

By Zack Whittaker for Zero Day | December 9, 2016 -- 19:11 GMT (03:11 GMT+08:00) | Topic: Security

Two leading Netgear routers are vulnerable to a severe security flaw.

(Image: Netgear)

An advisory posted on Friday in Carnegie Mellon University's public vulnerability database (CERT) said that Netgear's R7000 and R6400 routers, running current and recent firmware respectively, are vulnerable to an arbitrary command injection flaw.

If exploited, the vulnerability could let an unauthenticated attacker run commands with root privileges.

The code to exploit the vulnerability -- effectively just a URL -- has been released publicly, allowing anyone to carry out attacks.

An attacker would have to trick a user into visiting a website that contains the code, such as an invisible web frame, to exploit the flaw. Adding commands to the router's IP address can open up ports on the router, such as Telnet.

The advisory said that other router models may be vulnerable.

CERT advised users to "strongly consider discontinuing use" of the devices until a fix is made available.

It's not clear how many users are affected by the flaw. A Netgear spokesperson did not respond to a request for comment at the time of writing.

Router flaws are increasingly being exploited by attackers, who use vulnerabilities to launch large-scale distributed denial-of-service (DDoS) attacks to flood and overload networks with traffic.

Last week, almost a million users across Europe were thrown off the internet after criminals tried to hijack home routers as part of a coordinated cyber attack.

 

[Khanate]

Use pfSense for routing/networking and Access Points for Wireless.

 

[kamrananvaar]

Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.

An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.

The issue stems from improper input sanitization in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.

The U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS).


Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400 and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500 and R9000.

Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/cgi-bin/;uname$IFS-a . If this shows any information other than a error or a blank page, the router is likely affected.

In some cases, replacing the IP address with www.routerlogin.net or www.routerlogin.com might also work, because Netgear routers resolve these domains names to their own local IP address.

Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers don’t have their management interfaces exposed to the Internet.

many steps that users can take to improve the security of their routers and make it less likely that they will get hacked.