Netgear has released firmware updates to fix a high severity remote code execution (RCE) vulnerability in multiple Netgear routers and other network devices. A remote attacker could exploit to take control of an affected device.
The Netgear hotfixes address a stack buffer overflow vulnerability in the httpd web service and how it handles the upgrade_check.cgi. As a result, an unauthenticated attacker could exploit an impacted device and execute remote code with root privileges.
Earlier this year, the Zero Day Initiative (ZDI) first discovered the vulnerability in R6700 routers and disclosed the issue to Netgear on January 8.
After several attempts for updates and extensions through May, ZDI published the 0-day advisory on June 15, 2020. ZDI warned the specific flaw exists within the httpd service, an embedded web service used for administrative purposes.
ZDI further explained in the advisory:
“The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.”
Zero Day Initiative
In addition, ZDI rates the vulnerability a CVSS score of 8.8.
Router hotfix updates
Netgear since published firmware (or hotfix) updates for the following network device models (and dates made available):
- R6400v2, R6700v3, R7000 and R8000 (June 22)
- R6900, R6900P, R7000P, and R7900 (June 23)
- R7850, R8500, and WNR3500Lv2 (June 24)
- D6220, D6400, D7000v2, D8500, EX7000, and R7100LG (June 25)
- DC112A, DGN2200v4, EX3700, EX3800, EX3920, EX6120, EX6130, EX6920, R6250, RS400, and XR300 (June 29).
Furthermore, the CERT/CC also issued a security advisory on June 26 with more details on the Netgear issue.
Finally, readers can check out GRIMM blog post on SOHO device exploitation, along with link to exploit code on GitHub that targets 79 Netgear models.