UPDATE
Netgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won’t receive updates are outdated or have reached EOL (End of Life).
The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers – sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models – but Netgear says that 45 of those router models are outside of its “security support period.”
“Netgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,” Netgear said in a press statement. “The remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.”
A full list of the router models that won’t be patched – as well as those that have fixes being rolled out – is available on Netgear’s website.
“When we look at support windows, some of our products last five or six years, while others last only a few years,” David Henry, senior vice president of Connected Home products at Netgear, told Threatpost. “When we launch a product, as it gets old it goes into End of Life (EOL) and we stop building it and wind down [sales into the channel].”
For instance, one such Modem Router that won’t receive an update, the AC1450 series, is as old as 2009. Other router models, while newer, have reached EOL: The R6200 and R6200v2 wireless routers reached EOL in 2013 and 2016, respectively; while the Nighthawk R7300DST wireless router reached EOL in the first half of 2017, said Henry.
Regardless, Henry stressed that customers using both newer and older router models stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords (which he said is enforced by Netgear).
“I think it is really important that customers are paying attention to the updates we send out quarterly on our products,” said Henry.
The Flaw
According to the Zero Day Initiative (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.
“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” according to ZDI. “Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”
The flaw was reported to Netgear on Jan. 8, 2020, and on June 15, 2020 the security advisory for the flaw was publicly released without a patch available. Additionally, a PoC exploit was published by the GRIMM blog on June 15.
Netgear has rolled out patches for 34 of the vulnerable models since the flaw was disclosed. That includes releasing “security hotfixes” for the models, which are fixes that are applied on top of existing, fully tested firmware.
“Releasing hotfixes allows Netgear to quickly update existing products and streamline the firmware verification process without going through full regression testing,” according to Netgear. “These hotfixes are targeted at specific security issues and should have minimal effect on other areas of the product’s code.”
Patch Timeline Backlash
Several security experts are criticizing Netgear for its patching policies and procedures. Brian Gorenc, senior director of vulnerability research and head of Trend Micro’s Zero Day Initiative (ZDI) program, told Threatpost that the vulnerabilities disclosed represent some of the most severe bug categories available.
“Unfortunately, there are too many examples of vendors abandoning devices that are still in wide use – sometimes even when they are still available to purchase,” Gorenc told Threatpost. “Maybe we need to recommend manufacturers who support their products for longer – especially in our digitally connected lives. If we reward good communications and long-term support from vendors, maybe this abandonment problem will get better.”
Zach Varnell, senior AppSec consultant at nVisium, said that the disclosure on this vulnerability “appears to be more than generous since the researcher followed responsible disclosure practices and even gave an extension when asked for it.”
“It’s unfortunate for anyone who owns one of those routers but that’s the reality of product lifecycles,” said Varnell. “Basically everything – including software, toys, cars, electronics, appliances – will reach an age where their manufacturer will no longer support them. The duration of support varies widely and software tends to be on the shorter side since new development is done much more rapidly than hardware.”
“Consumers should always ensure their devices are still supported by manufacturers and check the available support before purchasing a new device,” said Gorenc.
Vulnerabilities in routers have been discovered several times over the past year. In March, Netgear warned users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. In July, a pair of flaws in ASUS routers for the home were uncovered that could allow an attacker to compromise the devices – and eavesdrop on all of the traffic and data that flows through them.
This article was updated on Aug. 4 at 11:30 am ET with further comments from Netgear.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.