Several models of Netgear routers are affected by a publicly disclosed easy vulnerability that could allow hackers to take them over.
An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.
The issue stems from improper input sanitisation in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.
The U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS).
Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400, and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500, and R9000.
Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/cgi-bin/;uname$IFS-a . If this shows any information other than a error or a blank page, the router is likely affected.
In some cases, replacing the IP address with www.routerlogin.net or www.routerlogin.com might also work, because Netgear routers resolve these domains names to their own local IP address.
Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers don’t have their management interfaces exposed to the Internet.
CSRF attacks hijack users’ browsers when visiting specifically crafted webpages and send unauthorized requests through them. This makes it possible for a malicious website to force a user’s browser to exploit the router over the LAN.
This is unbelievable advice –
CERT/CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the router’s web server and prevent future attacks. This can be done with the following command: http://[router_IP_address]/cgi-bin/;killall$IFS’httpd’
Because the web server will be shut down, the management interface will no longer be available and further attempts to exploit the vulnerability will fail, but this is only a temporary solution and needs to be reapplied every time the router is rebooted.
In order to protect themselves from CSRF attacks against routers in general, users should change their router’s default IP address. Most of the time, routers will be assigned the first address in a predefined netblock, for example 192.168.0.1, and these are the addresses that hackers will try to attack via CSRF.
Routers have become an attractive target for hackers in recent years as they can be used to spy on user traffic and launch other attacks. Most commonly they are infected with malware and used in distributed denial-of-service (DDoS) campaigns.