The United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security (DHS), has published a security alert yesterday, warning owners of Netgear R6400 and R7000 models against using their routers for the time being, because of a severe security flaw.
The organization decided to issue this extreme advice after a user nicknamed "Acew0rm" had published online for the two models.
"Exploiting this vulnerability is trivial," CERT said. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."
"The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround," the organization added.
Exploit relies on a security flaw and social engineering
Netgear R7000 (firmware version 1.0.7.2_1.1.93 and possibly earlier) and R6400 (firmware version 1.0.1.6_1.0.4 and possibly earlier) are vulnerable, but CERT said that other router models might be affected.
The exploit is trivial, as the organization's experts said, and relies on convincing a router owner in accessing a URL in the form of:
http://< router_IP >/cgi-bin/;COMMAND
An attacker may hide the exploit behind shortened URLs, which would greatly increase the chance of tricking a router owner in clicking the link.
Once this happens and the user's router processes the URL, the command at the end of the link is executed on the router. This type of vulnerability is known as a command injection.
Exploit can lead to complete router takeover
Based on the attacker's skill, he can take over the user's router completely.
Because there's no mitigation or workaround, CERT hopes router owners heed its advice and avoid a situation where a botnet operator bolsters its numbers with new zombies made of Netgear R6400 and R7000 routers.
In the past two weeks, botnet herders have used vulnerabilities to take over Eir D1000 modems, Zyxel AMG1302 and D-Link DSL-3780 routers from the infrastructure of Deutsche Telekom in Germany, and TalkTalk and Postal Office in the UK. The operator of a Mirai botnet offshoot has taken credit for these hijacks and claimed he owed at one point over 3 million devices.
UPDATE [October 10, 2016]: A Reddit user reported today that the exploit also worked on a Netgear R8000 model as well, albeit he didn't specify the router's firmware version number.
UPDATE [October 12, 2016]: Netgear has issued a statement, acknowledging the security flaw.
Comments
Starkman - 7 years ago
What about firmware newer than 1.0.1.6_1.0.4? Are they at risk as well?
Thanks.
campuscodi - 7 years ago
No. Otherwise, it would have been included in the alert.
jdcnservices - 7 years ago
So, this is a firmware issue? Can't the OS be replaced by WWRT or Tomato, for example, and if so would this still be vulnerable?
pellcorp - 6 years ago
Can't believe this command can be executed without authentication. How the hell does that pass quality assurance