Unpatched vulnerability identified in 79 Netgear router models

Bug lets attackers run code as "root" on vulnerable routers. Impacted routers go back to 2007.

netgear-r7000-router.jpg

ZDNet Recommends

Best security cameras for business in 2020: Google Nest, Ring, Arlo, and more

When deciding on a work safe security system. Whether for a large or small business, these 10 options for commercial properties will help secure your workplace.

Read More

A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.

The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.

According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.

In a technical breakdown of the vulnerability, Nichols says the bug resides in the web server component that's packed inside the vulnerable Netgear router firmware.

The web server is used to power the router's built-in administration panel. The GRIMM security researcher says the server doesn't properly validate user input, doesn't use "stack cookies" (aka canaries) to protect its memory, and the server's binary is not compiled as a Position-independent Executable (PIE), meaning ASLR (address space layout randomization) is never applied.

This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.

In a proof-of-concept exploit published on GitHub, Nichols said he was able to "start the [router's] telnet daemon as root listening on TCP port 8888 and not requiring a password to login."

Patches expected later this month

Both security researchers said they reported the vulnerability to Netgear at the start of the year.

Due to the vulnerability's broad impact and huge amount of work needed to produce and test a patch for all devices, the router maker requested more time to fix these issues; however, this extension expired on Monday this week, June 15.

Both Nichols and d4rkn3ss (via the Zero-Day Initiative bug disclosure program) have now published reports detailing the vulnerability.

A Netgear spokesperson told ZDNet that firmware updates for several router models have already been released, and new ones "are forth coming." However, not all routers are expected to receive patches, as some have already gone end-of-life many years before.

Below is the list of all 79 routers models that Nichols said contain a vulnerable version of the web server. The list of vulnerable firmware versions, per each router model, is available here.

AC1450
D6220
D6300
D6400
D7000v2
D8500
DC112A
DGN2200
DGN2200v4
DGN2200M
DGND3700
EX3700
EX3800
EX3920
EX6000
EX6100
EX6120
EX6130
EX6150
EX6200
EX6920
EX7000
LG2200D
MBM621
MBR624GU
MBR1200
MBR1515
MBR1516
MBRN3000
MVBR1210C
R4500
R6200
R6200v2
R6250
R6300
R6300v2
R6400
R6400v2
R6700
R6700v3
R6900
R6900P
R7000
R7000P
R7100LG
R7300
R7850
R7900
R8000
R8300
R8500
RS400
WGR614v8
WGR614v9
WGR614v10
WGT624v4
WN2500RP
WN2500RPv2
WN3000RP
WN3100RP
WN3500RP
WNCE3001
WNDR3300
WNDR3300v2
WNDR3400
WNDR3400v2
WNDR3400v3
WNDR3700v3
WNDR4000
WNDR4500
WNDR4500v2
WNR834Bv2
WNR1000v3
WNR2000v2
WNR3500
WNR3500v2
WNR3500L
WNR3500Lv2
XR300

Article updated on June 19, 16:20 ET, with statement from Netgear.