In-brief: A serious security hole in the software that runs certain models of wifi routers made by the firm Netgear prompted warnings to customers to stop using them until a fix can be found. (Editor’s Note: updated with comment from Netgear. PFR 12/12/2016)
A serious and easy to exploit security hole in the software that runs certain models of wifi routers made by the firm Netgear prompted experts at Carnegie Mellon to urge customers to stop using them until a fix can be found.
The warning comes in a vulnerability note (VU#582384) published on Friday by Carnegie Mellon University’s CERT. An “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. An proof of concept exploit for the hole was published online on Wednesday by an individual using the handle Acew0rm (@acew0rm1).
Firmware version 126.96.36.199_1.1.93 (and possibly earlier) for the R7000 and version 188.8.131.52_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited “community reports” that indicate the R8000, firmware version 184.108.40.206_1.1.2, is also vulnerable.
The warning comes amid increased concern about the security of home routers, following widespread attacks in recent weeks that have targeted the devices in Germany, the UK and other countries.
The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned. With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available.
In statements on Twitter, AceW0rm said that he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then. He released information on the hole as well as proof of concept exploit code.
In a YouTube video (above), the hacker known as Aceworm demonstrates how the flaw can be exploited by anyone with little more than the Internet (IP) address of the affected router and knowledge of the exploit. He said, given the severity of the patch, he expected Netgear to act to patch it and “did not expect it to get this big.”
A search of the public Internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to attack. The vast majority of those are located in the United States.
However, many more routers are not visible from the public Internet. The attack can also be launched locally from any network served by an affected Netgear router, posing a risk of insider attacks.
Netgear did not respond to an email request for comment. As of Sunday, the company has not issued a security alert addressing the flaw.
In a statement Monday, Netgear said it is aware of the security vulnerability affecting the R7000, R6400 and R8000 modules. The company said it is investigating the issue.
“It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet,” the company said. “To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.”
The company has posted a knowledge base article on the issue and said it will update that as new information becomes available.
The security of home routers is a growing concern, as cyber criminals have begun targeting the devices, which are often vulnerable, and using them to build global networks of compromised systems.
Recently, alware such as the recent Mirai botnet has made such devices a high-profile target for take-over. A string of crippling denial of service attacks carried out by the Mirai botnet in September and October were tied back to infected cameras, digital video recorders and broadband routers. More recently, the worm’s code has been altered to target a known vulnerability in implementations of the TR-069 and -064 remote management protocol that is used by carriers to manage a wide range of home routers and customer premises equipment (CPE).