Netgear working to fix flaw that left thousands of devices open to attack

Several routers in the Nighthawk line affected, CERT recommends customers discontinue use

Remote vulnerability impacts several routers in the Nighthawk line
Credit: Netgear

A remotely exploitable vulnerability in the Nighthawk line of Netgear routers was disclosed on Friday.

The flaw leaves customers exposed to having their connections hijacked, as someone exploiting the vulnerability can take complete control of the device. Despite having months to address the problem, Netgear has yet to publish a fix.

The vulnerability was discovered in August by Andrew Rollins, a security researcher from St Louis, MO. Rollins, who uses the handle Acew0rm, notified Netgear about the problem on August 25, but the company never responded to him. After waiting a few months, Rollins disclosed the vulnerability to the public, where it was brought to the attention of CERT.

If exploited, an attacker could issue basic commands to the device by appending them to the end of a specially crafted URL. Such commands could enable Telnet, or otherwise provide full control to the attacker.

Users on Reddit said a similar vulnerability was discovered DD-WRT in 2009.

A possible mitigation is the run routers with non-standard addresses, but the reality is that most home users do not do this. Moreover, such configurations don’t prevent attacks that originate on the local network, and they don't prevent remote attackers from learning a person's LAN IP address.

On Friday, CERT issued an advisory, warning about the flaw and advising customers to discontinue use of the impacted Nighthawk routers until they can be properly patched.

“By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request,” the CERT advisory warns.

“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.”

Researcher Kalypto Pink did some additional work and discovered that seven Nighthawk routers were vulnerable, as well as one other outside of the Nighthawk line.

  • AC1750 (Model R6400)
  • AC1900 (Model R7000)
  • AC2300 (Model R7000P)
  • AC2350 (Model R7500)
  • AC2600 (Model R7800)
  • AC3200 (Model R8000)
  • AC5300 (Model R8500)
  • AD7200 (R9000)

Based on passive scans of Shodan, there are nearly 10,000 vulnerable devices online. More than half of them are R7000’s.

Identification and a possible temporary fix:

A single line of code is all an attacker needs to exploit the vulnerable Nighthawk routers. The line below, as reported by Bas van Schaik, will help Netgear customers identify vulnerable hardware.

http://[router-address]/cgi-bin/;uname$IFS-a

Using the network's internal IP address to replace [router-address], visit the URL above. If anything but an error or blank page is displayed, the router is affected by this vulnerability.

If vulnerable, using the URL below (again using the internal IP address), will disable the server process that could be exploited.

http://[router-address]/cgi-bin/;killall$IFS'httpd'

Netgear:

Salted Hash reached out to Netgear for comment.

In a statement, a representative for Netgear said that the company strives "to earn and maintain the trust" of its users, and they're "actively working to provide solution for our customers."

In addition, they company has published a support article on the issue.

Cybersecurity market research: Top 15 statistics for 2017