Netgear router flaws exploitable with authentication … like the default creds on Netgear’s website

Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs.

The vulns rely on authenticated access to affected devices so aren’t an immediate threat. They do, however, allow someone with remote access to the router to pwn the device’s underlying OS, threatening the security of data passing through the router.

Helpfully, Netgear itself publishes default login credentials for “most” of its products on its website. If you haven’t been into your Netgear router’s admin panel and changed these default creds, you’re at increased risk.

“This kind of command injection also adds persistence which means even if the router is restarted or updated, the vulnerability can persist,” said Immersive Labs in a blog post about its findings.

Affected router and Wi-Fi extender models, according to Netgear’s own patch notes, are:

  • D7800 fixed in firmware version 1.0.1.66
  • EX2700 fixed in firmware version 1.0.1.68
  • WN3000RPv2 fixed in firmware version 1.0.0.90
  • WN3000RPv3 fixed in firmware version 1.0.2.100
  • LBR1020 fixed in firmware version 2.6.5.20
  • LBR20 fixed in firmware version 2.6.5.32
  • R6700AX fixed in firmware version 1.0.10.110
  • R7800 fixed in firmware version 1.0.2.86
  • R8900 fixed in firmware version 1.0.5.38
  • R9000 fixed in firmware version 1.0.5.38
  • RAX10 fixed in firmware version 1.0.10.110
  • RAX120v1 fixed in firmware version 1.2.3.28
  • RAX120v2 fixed in firmware version 1.2.3.28
  • RAX70 fixed in firmware version 1.0.10.110
  • RAX78 fixed in firmware version 1.0.10.110
  • XR450 fixed in firmware version 2.3.2.130
  • XR500 fixed in firmware version 2.3.2.130
  • XR700 fixed in firmware version 1.0.1.46

Immersive said it had found a third exploitable vuln disclosing the device’s serial number, which is used in Netgear’s password reset process as an authentication measure.

“Netgear strongly recommends that you download the latest firmware as soon as possible,” said Immersive.

Immersive’s Kev Breen, director of cyber threat research, said although these vulns rely on having a valid username and password combination for an affected device, that isn’t an automatic reason for shrugging one’s shoulders: “There is still a valid threat surface and whilst it remains in the realms of ‘Hackers Could’ it is always important when considering security vulnerabilities to look past the traditional exploit methods and put yourself in the shoes of an attacker. How could they abuse this?”

With Britain making moves to ban default admin credentials this kind of problem should decrease in future.

On the flip side, there are already millions of routers in use today which don’t comply with these proposed new regulations – so these kinds of vulns will continue to persist for a few years yet. ®

READ MORE HERE