[TheRecord] Netgear patches severe pre-auth RCE in 61 router and modem models

Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year.

Discovered by security firm GRIMM, the latest set of patches address a bug that can be exploited from within local networks to allow attackers to take full control of a vulnerable Netgear router.

According to GRIMM principal security researcher Adam Nichols, who discovered the issue in September, the vulnerability resides in the UPnP function of several Netgear routers.

Also known as Universal Plug-and-Play, this function is used by devices installed on a local network to change the router’s configurations in order to open ports to the public internet — such as gaming devices opening gaming ports or smart assistants opening ports to receive security updates.

Nichols said the GRIMM team discovered a vulnerability in the SUBSCRIBE/UNSUBSCRIBE feature of the UPnP function that allows devices to subscribe/unsubcribe and receive alerts when the router configuration has changed—in order to make sure their ports or settings remain configured on the device.

The GRIMM security researcher said there is a memory stack overflow bug in the code responsible for this feature that allows an attacker to send a malformed package that overflows the memory and then can run code on the device.

Since the UPnP service runs as root and the SUBSCRIBE/UNSUBSCRIBE is not protected by any authentication system, this bug can be easily abused to hijack Netgear routers in their entirety.

The faulty code was found in several Netgear models, according to a list made available by the GRIMM team. In total 61 Netgear models were found to have been impacted.

Image: GRIMM

Nichols said that Netgear patched most of the devices last week, but only for models that were still under active firmware maintenance, with others remaining unpatched.

The list of Netgear models that received a fix is available in the official Netgear CVE-2021-34991 advisory here. This includes SOHO routers, DSL modems, cable modems, and extenders.

In addition, Nichols also said that on some devices, a previous Netgear security fix had inadvertently blocked the possibility of exploiting their bug, but that the bug was still present in the firmware regardless.

Netgear has had a tough 2021

Nichols’ findings are the fifth major set of remote code execution bugs that the US networking company patches this year. Similar remote takeover bugs were found in:

March – by security firm NCC Group.June – by Microsoft.September – by Polish security researcher Gynvael Coldwind.September – by GRIMM (a different set of bugs).

The GRIMM team released proof-of-concept code to reproduce their vulnerability and exploit on GitHub. An in-depth walkthrough of the bug’s technical aspects is also available on the GRIMM blog.

The post Netgear patches severe pre-auth RCE in 61 router and modem models appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-12-31

Adobe Flash Player is officially dead tomorrow www.bleepingcomputer.com/news/security/adobe-flash-player-is-officially-dead-tomorrow/ Flash Player will reach its end of life (EOL) on January 1, 2021, after always being a security risk to those who have used it over the years. Lisäksi www.bleepingcomputer.com/news/software/adobe-now-shows-alerts-in-windows-10-to-uninstall-flash-player/ What’s Next for Ransomware in 2021? threatpost.com/ransomware-getting-ahead-inevitable-attack/162655/ Ransomware response demands a whole-of-business plan before the next attack, […]

Read More

[SecurityWeek] Acer Confirms Breach of Servers in Taiwan

All posts, Security Week

Taiwanese tech giant Acer has confirmed that, in addition to servers in India, hackers breached some of its systems in Taiwan. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] Detonating Ransomware on My Own Computer (Don’t Try This at Home)

Ransomware attacks are a daily occurrence, announcing new levels of danger and confusion to an already complicated business of protecting data. How it behaves can tell us lot about a ransomware attack – so I recently detonated Conti ransomware in a controlled environment to demonstrate the importance of proper cyber protection. […] Source: Read More […]

Read More