The exploit tricks a user into visiting a web address that contains code capable of running commands on the router. It’s a simple attack to accomplish and could result in the hijacker gaining complete access to the device. They’d then be free to spy on the user’s web usage or install additional malware on the network.
The flaw was found by a security researcher known as Acew0rm. It has been assigned a score of 9.3 out of 10 for severity by the Common Vulnerability Scoring System (CVSS). The only proposed solution is disabling the router’s web server by running a specific command via a URL. This is a temporary measure that needs to be reapplied each time the router reboots. The command is run using the very vulnerability that’s being disabled, highlighting the severity of the security hole.
Netgear acknowledged the problems over the weekend, saying it’s investigating the reports. It has not yet elaborated on its original statement and there’s currently no indication of when a patch will be released. The company confirmed its R6400, R7000 and R8000 routers are affected by the flaw. The devices are popular high-end models that are generally well-regarded in the industry.
Netgear said the exploit “allows unauthenticated web pages to pass form input directly to [the router],” enabling attacks to run arbitrary code on the router. It did not propose any workarounds to use while it creates a patch.
“We appreciate and value having security concerns brought to our attention,” the company said. “NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.”
While the company’s mission is to be “pro-active,” it’s currently operating in a re-active role. CERT said it’s “trivial” to exploit the vulnerability, warning users there’s a credible risk to their security. It suggested that users should stop using their routers until a patch is available, although this may not be feasible for every owner.
Routers are becoming increasingly attractive targets for cybercriminals who can use them to harvest browsing data, disrupt Internet access or mount large-scale botnet attacks. Recently, a million European Internet customers were left without a connection as hackers knocked out a series of ISP-supplied broadband routers.
The Netgear vulnerability demonstrates it’s not just budget devices that are at risk though. In the connected age, every device is a liability, particularly those that distribute data to all the others in your home. Netgear said it strives to “earn and maintain” the trust of its customers.
