In-brief: A week after security experts at Carnegie Mellon’s CERT advised consumers about a serious security hole in home routers from the networking equipment maker NETGEAR, that firm has expanded the list of affected router models to 11, while offering official software patches for three of those models. Thousands of affected devices can be found online.
A week after security experts at Carnegie Mellon’s CERT advised consumers about a serious security hole in home routers from the networking equipment maker NETGEAR, that firm has expanded the list of affected router models to 11, while offering official software patches for three of those models.
NETGEAR said on Friday that it has tested and released “production” software updates for three home router models that were found to contain a serious command injection software flaw that made them susceptible to remote hacking. A search of the Internet revealed more than 11,000 vulnerable devices.
The company released updated software for its R6400, R7000 and R8000 model routers, according to an update posted to NETGEAR’s support website. However, eight more home routers were also found to be vulnerable to the flaw and have only untested or “beta” software available to fix it.
The updates follow a warning by Carnegie Mellon University’s CERT about an “arbitrary command injection” vulnerability in the latest version of firmware used by the wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. An proof of concept exploit for the hole was published online on Wednesday by an individual using the handle Acew0rm (@acew0rm1). That researcher said he informed NETGEAR about the security hole four months prior to releasing information on it, but never heard back from the company about the problem.
Initial reports focused on just two models of NETGEAR broadband routes: the R6400 and R7000. But NETGEAR now says that nine other models are likewise affected: the R6700, R6900, R7100LG, R7300DST, the R7900, R8000, D6220 and D6400. The company has issued temporary software fixes for all affected models, following similar action last week for the R6400, R7000 and R8000 models. Those software updates are not guaranteed to be stable, but do address the security hole. NETGEAR customers are advised to use them at their own risk.
[Read more Security Ledger coverage of problems with broadband routers.]
More than 11,000 affected NETGEAR routers are reachable via the public Internet and exposed to remote attacks, according to the Shodan search engine, which can identify exposed and Internet connected hardware. Most affected devices are deployed in the United States, the UK and Australia.
Given the seriousness of the vulnerability, those systems could be compromised by a low-skilled attacker with knowledge of the correct syntax and the Internet (or IP) address of the vulnerable router. That user would not need to first log into the device to compromise it. Many more devices are deployed but are not discoverable using a search of the public Internet. However, such devices can be attacked from a user who is connected to the same network the router is on, according to CMU CERT.
The recent Mirai botnet made clear that such devices are targets for take-over. A string of crippling denial of service attacks carried out by the Mirai botnet in September and October were tied back to infected cameras, digital video recorders and broadband routers. More recently, the worm’s code has been altered to target a known vulnerability in implementations of the TR-069 and -064 remote management protocol that is used by carriers to manage a wide range of home routers and customer premises equipment (CPE).