70+ Netgear Routers at Risk Due to New Zero-Day
A new zero-day vulnerability has been found to exist within 79 Netgear router models that allows an attacker to gain full control, remotely, over the affected device. Discovered simultaneously, and independently from one another, by Adam Nichols of the cybersecurity firm Grimm and d4rkn3ss of Vietnam’s VNPT ISC , the vulnerability itself lies in the HTTPD daemon used to manage the router.
According to reports released by Mr. Nichols, the vulnerability in the HTTPD daemon is that it does not adequately check the length of data that is supplied by a user, allowing an attacker to create a buffer overflow when the data is copied to a fixed-length variable. This flaw would allow an attacker to create a specially crafted string that would execute commands on the router without first needing to authenticate. According to Mr. Nichols, stack cookies would typically prevent this vulnerability, and in fact, stack cookies are widely utilized throughout the industry but unfortunately, they are not utilized properly within many of Netgear’s routers. In a proof of concept, Mr. Nichols was able to configure the telnet daemon on a vulnerable router to listen on port 8888 and not require a password.
Typically, the HTTPD daemon is only accessible from the local area network but router admins can enable it to be accessible from the wider Internet. Even if it is not accessible from the Internet, attackers can create spoofed websites that contain malicious JavaScript that can perform ‘DNS rebinding’ attacks to execute commands on the internal network remotely. In short, once an attacker gains control over a vulnerable router, they can use it to launch attacks on internal computer found on the local network. It can also be used to configure port forwarding on the router so that devices on the internal network would be exposed on the Internet.
Originally reported to Netgear in January of 2020, it is unknown if the vulnerability has since been patched or if remediation is possible. According to Mr. Nichols, 79 Netgear router models and 758 firmware images contain the vulnerable HTTPD daemon. For a full list of the 79 affected models, please see below, and for a full list of the 758 affected firmware images, they can be found, along with Nichols’ proof of concept, here.
Affected Router Models:
| AC1450 | MBR1516 | WGR614v9 |
| D6220 | MBRN3000 | WGR614v10 |
| D6300 | MVBR1210C | WGT624v4 |
| D6400 | R4500 | WN2500RP |
| D7000v2 | R6200 | WN2500RPv2 |
| D8500 | R6200v2 | WN3000RP |
| DC112A | R6250 | WN3100RP |
| DGN2200 | R6300 | WN3500RP |
| DGN2200v4 | R6300v2 | WNCE3001 |
| DGN2200M | R6400 | WNDR3300 |
| DGND3700 | R6400v2 | WNDR3300v2 |
| EX3700 | R6700 | WNDR3400 |
| EX3800 | R6700v3 | WNDR3400v2 |
| EX3920 | R6900 | WNDR3400v3 |
| EX6000 | R6900P | WNDR3700v3 |
| EX6100 | R7000 | WNDR4000 |
| EX6120 | R7000P | WNDR4500 |
| EX6130 | R7100LG | WNDR4500v2 |
| EX6150 | R7300 | WNR834Bv2 |
| EX6200 | R7850 | WNR1000v3 |
| EX6920 | R7900 | WNR2000v2 |
| EX7000 | R8000 | WNR3500 |
| LG2200D | R8300 | WNR3500v2 |
| MBM621 | R8500 | WNR3500L |
| MBR624GU | RS400 | WNR3500Lv2 |
| MBR1200 | WGR614v8 | XR300 |
| MBR1515 |
Sources: