Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs.
The vulns rely on authenticated access to affected devices so aren’t an immediate threat. They do, however, allow someone with remote access to the router to pwn the device’s underlying OS, threatening the security of data passing through the router.
Helpfully, Netgear itself publishes default login credentials for “most” of its products on its website. If you haven’t been into your Netgear router’s admin panel and changed these default creds, you’re at increased risk.
“This kind of command injection also adds persistence which means even if the router is restarted or updated, the vulnerability can persist,” said Immersive Labs in a blog post about its findings.
Affected router and Wi-Fi extender models, according to Netgear’s own patch notes, are:
- D7800 fixed in firmware version 188.8.131.52
- EX2700 fixed in firmware version 184.108.40.206
- WN3000RPv2 fixed in firmware version 220.127.116.11
- WN3000RPv3 fixed in firmware version 18.104.22.168
- LBR1020 fixed in firmware version 22.214.171.124
- LBR20 fixed in firmware version 126.96.36.199
- R6700AX fixed in firmware version 188.8.131.52
- R7800 fixed in firmware version 184.108.40.206
- R8900 fixed in firmware version 220.127.116.11
- R9000 fixed in firmware version 18.104.22.168
- RAX10 fixed in firmware version 22.214.171.124
- RAX120v1 fixed in firmware version 126.96.36.199
- RAX120v2 fixed in firmware version 188.8.131.52
- RAX70 fixed in firmware version 184.108.40.206
- RAX78 fixed in firmware version 220.127.116.11
- XR450 fixed in firmware version 18.104.22.168
- XR500 fixed in firmware version 22.214.171.124
- XR700 fixed in firmware version 126.96.36.199
Immersive said it had found a third exploitable vuln disclosing the device’s serial number, which is used in Netgear’s password reset process as an authentication measure.
“Netgear strongly recommends that you download the latest firmware as soon as possible,” said Immersive.
Immersive’s Kev Breen, director of cyber threat research, said although these vulns rely on having a valid username and password combination for an affected device, that isn’t an automatic reason for shrugging one’s shoulders: “There is still a valid threat surface and whilst it remains in the realms of ‘Hackers Could’ it is always important when considering security vulnerabilities to look past the traditional exploit methods and put yourself in the shoes of an attacker. How could they abuse this?”
With Britain making moves to ban default admin credentials this kind of problem should decrease in future.
On the flip side, there are already millions of routers in use today which don’t comply with these proposed new regulations – so these kinds of vulns will continue to persist for a few years yet. ®