At least three versions—and likely more—of Netgear routers remain vulnerable to a vulnerability that allows an attacker to gain root access on the device and remotely run code.
A researcher who goes by the handle AceW0rm on Friday released details and a proof-of-concept exploit after months of silence from Netgear, which today confirmed the flaw and said it is investigating the report. The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University said in an advisory the vulnerability is simple to exploit.
“Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available,” the advisory said. A request for comment from Netgear was not returned in time for publication.
AceW0rm said he privately disclosed the vulnerability to Netgear in August and decided to publish details last week. A request for further comments from the researcher was not returned in time for publication.
Netgear R8000, R7000, R6400 routers and possible other models, CERT said, are vulnerable. The routers are part of Netgear’s Nighthawk line of home routers. The R7000 routers running firmware version 126.96.36.199_1.1.93 and R6400 devices running firmware version 188.8.131.52_1.0.4 and possibly earlier are vulnerable to the same command injection attack, CERT said.
Meanwhile, a researcher known as Kalypto Pink conducted tests on additional Nighthawk models and found several more vulnerable. Below is Kalypto Pink’s comprehensive list:
- NetGear AC1750-Smart WiFi Router (Model R6400)
- NetGear AC1900-Nighthawk Smart WiFi Router (Model R7000)
- NetGear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
- NetGear AC2350-Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
- NetGear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
- NetGear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
- NetGear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
- NetGear AD7200-Nighthawk X10 Smart WiFi Router (R9000)
“By convincing a user to visit a specially crafted website, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers,” CERT said. “A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http://<router_IP>/cgi-bin/;COMMAND.”
Users could also disable the router’s webserver temporarily by issuing the command: http://<router_IP>/cgi-bin/;killall$IFS’httpd‘. This, however, will leave the router’s management interface unreachable until the router is restarted.
Kalypto Pink has also published details on a process that can be used to determine if a particular router is vulnerable to attack.