PINDROP BLOG

Some Netgear Routers Open to Remote Code Execution

Two models of Netgear home routers contain a vulnerability that can allow a remote attacker to execute arbitrary code. The bug can be exploited with a simple URL and there’s a publicly available exploit for the flaw.

The issue affects the Netgear R7000 and R6400 routers and right now there’s no fix available for the vulnerability. The bug affects firmware version 1.0.7.2_1.1.93 in the R7000 and version 1.0.1.6_1.0.4 in the R6400, and there are reports that some other Netgear models might be vulnerable, as well. An advisory from the CERT/CC at Carnegie Mellon University says the vulnerability can be exploited easily by remote or local attackers.

“Exploiting the vulnerability is trivial.”

“Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http://<router_IP>/cgi-bin/;COMMAND," the advisory says.

“This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 1.0.3.4_1.1.2, is vulnerable. Other models may also be affected.”

There’s no patch for the vulnerability, and the CERT/CC advisory says users who are running vulnerable versions of the firmware should disable the web server or stop using the router until a patch is released.

“Exploiting the vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available,” the advisory says.

Nether said it is aware of the issue and is investigating the vulnerability. The affected routers are designed for home use.