Living on a prayer? Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models

Netgear has now patched 28 out of 79 vulnerable router models, six months after infosec researchers first noticed security problems potentially allowing an attacker to remotely execute code as root.

The latest hotfixes come after two models were fixed earlier in June. The vulnerability in question could, for example, allow the opening of a superuser-level telnet backdoor, as we reported at the time.

Over the past few weeks Netgear has been pushing out fixes, having so far plugged problems with 28 of the 79 models it says are affected by the unwanted remote-superuser flaw.

The vulnerabilities, initially discovered by Trend Micro’s Zero Day Initiative (ZDI) in January, were meant to have been patched by 15 June. Netgear asked for an extension at the end of May for a further month, prompting the ZDI to publish an advisory note.

An infosec outfit called Grimm followed that up by releasing live exploit code for two of the unfixed vulns, which stung Netgear into patching two devices early on.

“Multiple Netgear devices contain a stack buffer overflow in the httpd web server’s handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges,” said America’s Carnegie-Mellon University in a note from its Software Engineering Institute summarising the problem.

Basically, an attacker could bypass authentication and do whatever they pleased with your router, such as installing malware to sniff out login creds. As ZDI’s Abdul-Aziz Hariri told us earlier this month: “In most scenarios, the attacker would be able to possibly upload a custom backdoor software and establish persistence or launch further attacks, like man-in-the-middle attacks.”

The latest batch of hotfixes are available on Netgear’s website, along with a health warning that full regression testing hasn’t been carried out on all the affected devices.

Translation: it shouldn’t cause problems, but your mileage may vary. This latest wording seems to omit the word “beta” that was in the first version of the Netgear advisory as reported by El Reg on 19 June, potentially suggesting greater confidence in the stability of the hotfixes.

“Netgear plans to release firmware updates that fix these vulnerabilities for all affected products that are within the security support period,” the company said on its knowledge base page. Whether your device is or is not supported, the firm suggests double-checking affected router models to ensure the built-in remote management gateway is disabled.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update to the most recent firmware version and to replace end-of-life devices that are no longer supported with security patches,” said the US computer security agency in a note issued last night.

We have asked Netgear for detailed comment on the length of time it seems to be taking to issue hotfixes for all affected routers. ®