NETGEAR Broadband Routers Affected by High-Severity RCE Flaw

netgear broadband routers rce flaw featured image news

NETGEAR, a multinational networking equipment company, has released patches to fix a dangerous vulnerability to remotely executed codes, which affects multiple routers and can expose users to various remote attacks.

A significant number of NETGEAR’s broadband and WiFi routers are susceptible to a new Remote Code Execution (RCE) exploit. This vulnerability allows hackers to control the update process for the Circle Smart Parental Control Service on each device and potentially take control of the router.

Adam Nichols, the GRIMM security researcher, says the vulnerability is hidden within the Circle. “Since this code is run as root on the affected routers, exploiting it to obtain RCE is just as damaging as a RCE vulnerability found in the core Netgear firmware,” said Nichols. “This particular vulnerability once again demonstrates the importance of attack surface reduction.”

Although parental control service isn’t enabled by default on all company’s routers, that doesn’t mean the users who don’t use it are safe. The Circle update daemon is on by default, even when the router isn’t configured to limit daily internet time. This scenario could allow cybercriminals to gain access to RCE as root users via a Man-in-the-Middle (MitM) attack.

The filter connects to Circle and NETGEAR to get updates, but NETGEAR then sends those updates out through an unencrypted HTTP transfer. The MitM attack is developed to respond to circled update requests with a custom-tailored compressed database file. This file, when extracted, allows attackers to overwrite executable files with targeted attack codes.

The security weakness identified as CVE-2021-40847 (CVSS score: 8.1) affects the following models: R6900P, R6400v2, R6700v3, R6900, R6700, R7000P, R7000, R7850, R8000, RS400, and R7900. In its security advisory, NETGEAR strongly recommends its users download the latest firmware as soon as possible to reduce the risk of these threatening attacks. On the other hand, GRIMM recommends provisioning and the use of a VPN to clients who can’t yet patch their devices.