Netgear router flaws exploitable with authentication ... like the default creds on Netgear's website
Don't just install the patch, change your router passwords too
Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs.
The vulns rely on authenticated access to affected devices so aren't an immediate threat. They do, however, allow someone with remote access to the router to pwn the device's underlying OS, threatening the security of data passing through the router.
Helpfully, Netgear itself publishes default login credentials for "most" of its products on its website. If you haven't been into your Netgear router's admin panel and changed these default creds, you're at increased risk.
"This kind of command injection also adds persistence which means even if the router is restarted or updated, the vulnerability can persist," said Immersive Labs in a blog post about its findings.
Affected router and Wi-Fi extender models, according to Netgear's own patch notes, are:
- D7800 fixed in firmware version 22.214.171.124
- EX2700 fixed in firmware version 126.96.36.199
- WN3000RPv2 fixed in firmware version 188.8.131.52
- WN3000RPv3 fixed in firmware version 184.108.40.206
- LBR1020 fixed in firmware version 220.127.116.11
- LBR20 fixed in firmware version 18.104.22.168
- R6700AX fixed in firmware version 22.214.171.124
- R7800 fixed in firmware version 126.96.36.199
- R8900 fixed in firmware version 188.8.131.52
- R9000 fixed in firmware version 184.108.40.206
- RAX10 fixed in firmware version 220.127.116.11
- RAX120v1 fixed in firmware version 18.104.22.168
- RAX120v2 fixed in firmware version 22.214.171.124
- RAX70 fixed in firmware version 126.96.36.199
- RAX78 fixed in firmware version 188.8.131.52
- XR450 fixed in firmware version 184.108.40.206
- XR500 fixed in firmware version 220.127.116.11
- XR700 fixed in firmware version 18.104.22.168
Immersive said it had found a third exploitable vuln disclosing the device's serial number, which is used in Netgear's password reset process as an authentication measure.
"Netgear strongly recommends that you download the latest firmware as soon as possible," said Immersive.
- Dang vaccines dented our bottom line in the connected home sector, says Netgear
- Microsoft warns of serious vulnerabilities in Netgear's DGN2200v1 router
- This Netgear SOHO switch has 15 – count 'em! – vulns, which means you need to upgrade the firmware... now
- Before you buy that managed Netgear switch, be aware you may need to create a cloud account to use its full UI
Immersive's Kev Breen, director of cyber threat research, said although these vulns rely on having a valid username and password combination for an affected device, that isn't an automatic reason for shrugging one's shoulders: "There is still a valid threat surface and whilst it remains in the realms of 'Hackers Could' it is always important when considering security vulnerabilities to look past the traditional exploit methods and put yourself in the shoes of an attacker. How could they abuse this?"
With Britain making moves to ban default admin credentials this kind of problem should decrease in future.
On the flip side, there are already millions of routers in use today which don't comply with these proposed new regulations – so these kinds of vulns will continue to persist for a few years yet. ®