NETGEAR Pushes Emergency Patch, Finds More Routers Vulnerable

NETGEAR on Tuesday issued an emergency beta patch for a wide range of home routers that are vulnerable to attack.

In-brief: NETGEAR has issued an emergency software patch for a serious vulnerability in its home routers, even as the company expands the list of affected hardware, adding five more models to the list of affected products.

NETGEAR has issued an emergency software patch for a serious vulnerability in its home routers, even as the company expands the list of affected hardware, adding five more models to the list of affected products.

The company said on Tuesday that it is providing a “beta version” of router firmware that addresses an arbitrary command injection vulnerability that was disclosed in firmware used by a number of wireless routers sold to consumers and small businesses. NETGEAR said the software update is still being tested and will only work on three versions of its routers: the R6400, R7000 and R8000. The company also acknowledged that five more routers are affected by the flaw and remain unpatched.

The updated (beta) firmware for the R6400 can be downloaded here. Get the R7000 firmware here and the R8000 firmware here. 

A vulnerability in firmware used by the NetGear R7000 and other wifi routers has prompted security experts to advise customers to stop using the devices.

The company said the new firmware has not been fully tested and “might not work for all users.” The company offered it as a “temporary solution” to address the security hole. “NETGEAR is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible,” the company said in a post to its online knowledgebase early Tuesday.

[Read more Security Ledger coverage of security issues affecting broadband routers here.]

NETGEAR more than doubled the list of routers that are known to be affected by the vulnerability, revealing that the R7900, R7300, R7100LG, R6700 and R6250 also run firmware that contains the command injection flaw. That hole, discovered by an independent security researcher using the handle Acew0rm (@acew0rm1), could allow a remote attacker to take control of a Netgear router by convincing a user to visit a malicious web site. The routers are also vulnerable to attack by individuals connected to a local wifi network using a simple command sent to the address of the router.

NETGEAR said it is testing other router models to see if they are vulnerable, also, and there is some evidence that more router models will be added to the list of affected hardware.

Security experts describe the vulnerability as extremely easy to trigger. An attack could be launched from a malicious web site, or via malicious ads displayed on a reputable site. The vulnerability allows Linux commands to run with administrator-level (“root”) privileges simply by appending the commands to a URL that include’s the router’s Internet address.

Firmware version (and possibly earlier) for the R7000 and version (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability.

On December 9, experts at Carnegie Mellon CERT recommended that NETGEAR customers discontinue use of affected routers until a patch was issued. The warning comes amid growing concern about the security of home wireless and broadband routers, as cyber criminals have begun targeting the devices, which are often vulnerable, and using them to build global networks of compromised systems.

The recent Mirai botnet made clear that such devices are targets for take-over. A string of crippling denial of service attacks carried out by the Mirai botnet in September and October were tied back to infected cameras, digital video recorders and broadband routers. More recently, the worm’s code has been altered to target a known vulnerability in implementations of the TR-069 and -064 remote management protocol that is used by carriers to manage a wide range of home routers and customer premises equipment (CPE).

Comments are closed.