A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.
The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.
According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.
In a technical breakdown of the vulnerability, Nichols says the bug resides in the web server component that’s packed inside the vulnerable Netgear router firmware.
The web server is used to power the router’s built-in administration panel. The GRIMM security researcher says the server doesn’t properly validate user input, doesn’t use “stack cookies” (aka canaries) to protect its memory, and the server’s binary is not compiled as a Position-independent Executable (PIE), meaning ASLR (address space layout randomization) is never applied.
This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.
In a proof-of-concept exploit published on GitHub, Nichols said he was able to “start the [router’s] telnet daemon as root listening on TCP port 8888 and not requiring a password to login.”
Patches expected later this month
Both security researchers said they reported the vulnerability to Netgear at the start of the year.
Due to the vulnerability’s broad impact and huge amount of work needed to produce and test a patch for all devices, the router maker requested more time to fix these issues; however, this extension expired on Monday this week, June 15.
Both Nichols and d4rkn3ss (via the Zero-Day Initiative bug disclosure program) have now published reports detailing the vulnerability.
A Netgear spokesperson was not immediately available for comment, but in the ZDI bug disclosure, ZDI said that Netgear requested a second extension until the end of this coming then. However, not all routers are expected to receive patches, as some have already gone end-of-life many years before.
Below is the list of all 79 routers models that Nichols said contain a vulnerable version of the web server. The list of vulnerable firmware versions, per each router model, is available here.
AC1450D6220D6300D6400D7000v2D8500DC112ADGN2200DGN2200v4DGN2200MDGND3700EX3700EX3800EX3920EX6000EX6100EX6120EX6130EX6150EX6200EX6920EX7000LG2200DMBM621MBR624GUMBR1200MBR1515MBR1516MBRN3000MVBR1210CR4500R6200R6200v2R6250R6300R6300v2R6400R6400v2R6700R6700v3R6900R6900PR7000R7000PR7100LGR7300R7850R7900R8000R8300R8500RS400WGR614v8WGR614v9WGR614v10WGT624v4WN2500RPWN2500RPv2WN3000RPWN3100RPWN3500RPWNCE3001WNDR3300WNDR3300v2WNDR3400WNDR3400v2WNDR3400v3WNDR3700v3WNDR4000WNDR4500WNDR4500v2WNR834Bv2WNR1000v3WNR2000v2WNR3500WNR3500v2WNR3500LWNR3500Lv2XR300
