A remote code execution vulnerability riddled numerous Netgear routers posing a security threat to users. Although it didn’t directly affect Netgear firmware, instead it existed in a third-party component. Exploiting this bug could have a similarly devastating impact. Nonetheless, the vendors have released the patches for the affected routers with the latest firmware updates.
Netgear Routers Vulnerability
Security researcher Adam Nichols from GRIMM has elaborated on the code execution vulnerability affecting numerous Netgear routers in a post.
This bug is crucial as it affects numerous Netgear Small Offices/Home Offices (SOHO) devices that play a key role in the present-day work-from-home scenario.
Briefly, the vulnerability resided in the third-party component “/bin/circled daemon” that imparts parental control functionality to the routers. The problem existed because the vulnerable code was active by default on all devices, even when not used.
While the parental controls themselves are not enabled by default on the routers, the Circle update daemon,
circled, is enabled by default. This daemon connects to Circle and Netgear to obtain version information and updates to the
circleddaemon and its filtering database. However, database updates from Netgear are unsigned and downloaded via Hypertext Transfer Protocol (HTTP).
Hence, an adversary on the network could exploit the bug to gain root access to the target routers via a MiTM attack with a maliciously crafted compressed database file.
Following the researcher’s report, Netgear has released patches for the vulnerability with the latest firmware updates. The vendors have marked this bug (CVE-2021-40847) as a high-severity flaw that received a CVSS score of 8.1.
According to its advisory, Netgear has rolled out the fixes for the following devices.
- R6400v2 (firmware version 18.104.22.168)
- R6700 (firmware version 22.214.171.124)
- R6700v3 (firmware version 126.96.36.199)
- R6900 (firmware version 188.8.131.52)
- R6900P (firmware version 3.3.142_HOTFIX)
- R7000 (firmware version 184.108.40.206)
- R7000P (firmware version 220.127.116.11_HOTFIX)
- R7850 (firmware version 18.104.22.168)
- R7900 (firmware version 22.214.171.124)
- R8000 (firmware version 126.96.36.199)
- RS400 (firmware version 188.8.131.52)
Therefore, all users bearing the vulnerable routers should update their devices with the latest updates at the earliest.
Since some of these patches arrive as hotfix, Netgear advises users to monitor their devices for possible performance issues.
Let us know your thoughts in the comments.