Netgear has begun pushing out beta versions of firmware updates that will address a critical vulnerability that was disclosed late last week.
The networking vendor also confirmed that many more routers in its Nighthawk line are vulnerable than originally reported. The flaw allows attackers to carry out command injection attacks, and are reportedly trivial to exploit.
“While we are working on the production version of the firmware, we are providing a beta version of this firmware release. This beta firmware has not been fully tested and might not work for all users,” Netgear said an advisory updated today. “NETGEAR is offering this beta firmware release as a temporary solution, but NETGEAR strongly recommends that all users download the production version of the firmware release as soon as it is available.”
A researcher who goes by the handle of AceW0rm said he disclosed the vulnerability in August, and that the report was never acknowledged by Netgear, therefore he decided to go public on Friday.
“This is very trivial because the attacker does not even need a special tool or anything of that nature; all they need is a web browser,” AceW0rm told Threatpost. “An attack could be a full takeover of the router, and the attacker could do anything.”
In the original public disclosure, only two Nighthawk router versions were deemed vulnerable, but a researcher known as Kalypto Pink tested additional models and found a long list of vulnerable routers: the R6400; R7000; R7000P; R7500; R7800; R8000; R8500; and R9000.
Netgear, meanwhile, today posted a similar list of products it has tested and confirmed vulnerable: R6250; R6400; R6700; R7000; R7100LG; R7300; R7900; R8000. Beta firmware, Netgear said, is available for the R6250, R6400, R6700, R7000 and R8000 models.
“NETGEAR is continuing to review our entire portfolio for other routers that might be affected by this vulnerability,” the vendor said in its advisory. “If any other routers are affected by the same security vulnerability, we plan to release firmware to fix those as well.”
The DHS-sponsored CERT/CC at Carnegie Mellon University went to so far as to caution users to discontinue using the affected routers until updated firmware was made available.
“A fix would be very easy and would likely only be a line or two of code,” AceW0rm said.
CERT, meanwhile, has updated its advisory, and spelled out that the routers are affected by two other vulnerabilities in addition to command injection, including cross-site request forgery, and missing authentication mechanisms.
“By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers,” CERT said. The organization also recommended two mitigations in addition to discontinuing use of the vulnerable devices. One was to disable the router’s web server with the following command: http://<router_IP>/cgi-bin/;killall$IFS’httpd‘ This will also shut down the router’s administration interface until the device is restarted, CERT said.
Another option would be to disable remote administration, which is the avenue by which the available exploit works.
“Enabling remote administration allows affected routers to be exploited via direct requests from the WAN,” CERT said.
Netgear has links to all of its available beta firmware versions on its advisory page.