Three or more router models from Netgear contain an arbitrary command injection vulnerability so critical that a leading CERT authority has advised consumers to temporarily stop using the devices until the manufacturer issues a patch.
Discovered by researcher Andrew Rollins, who goes by the online handle Acew0rm, the vulnerability can be exploited to gain root privileges on a device and execute arbitrary Linux-based commands. Remote attackers can execute this exploit by tricking users into visiting specially crafted malicious websites (or by installing malicious advertisements on otherwise legitimate sites, according to separate researcher Kalypto Pink). Meanwhile, attackers connected to a target device's local-area network can pull off the exploit by issuing a direct request.
Consequently, “Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available,” read an advisory posed by the CERT at Carnegie Mellon University's Software Engineering Institute.
In a Twitter exchange, Rollins confirmed to SC Media that he attempted to privately disclose the matter to Netgear on 25 August, but received no response. Finally, on 6 December, he publicly revealed the vulnerability on the Exploit Database website, seemingly prompting Netgear on Monday to release a security advisory acknowledging the problem. “Netgear's lack of response is disappointing because I think it reflects on their security practices,” Rollins told SC Media.
In its advisory, Netgear confirmed that routers with the model numbers R7000, R6400 and R8000 “might” be vulnerable. Asked for comment, Netgear spokesperson Nathan Papadopulos told SC Media in a statement via email: “Netgear is aware of the security vulnerability… that affects Netgear routers (R7000, R6400 and R8000), which has been reported to allow unauthenticated web pages to pass the command-line interface, leaving open the potential for arbitrary command execution by remote attack.”
However, according to Pink, there are even more routers affected than initially reported. In his own blog post, Pink claims that six of the seven Netgear router models he tested turned out to be vulnerable, including the R6400, R7000P, R7800 and R8500 products. Only the R9000 model tested clean. (All but one of the routers are sold under the brand name Nighthawk.)
CERT also directed readers to Bas' Blog, a blog site operated by a UK-based data scientist, which posted a temporary workaround for those who wish to continue using their vulnerable Netgear routers. To execute this workaround, affected users can ironically use the very vulnerability under scrutiny to terminate the web server process on their routers. However, rebooting the device automatically restarts the process and makes the user vulnerable once again – underscoring the need for a permanent fix.