Multiple Netgear router models vulnerable

[997440]

The advice at this point is to discontinue use until a solution is found.

Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection.

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:

http://<router_IP>/cgi-bin/;COMMAND

An exploit leveraging this vulnerability has been publicly disclosed.

This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 1.0.3.4_1.1.2, is vulnerable. Other models may also be affected.[...]

http://www.kb.cert.org/vuls/id/582384

 

[campyguy]

Thx, read this over on DSLReports' Forums. Stuff like this keeps me buying a couple of Powerball tickets each week...

 

[phrehdd]

I am curious to see how fast Netgear gets an official fix for this vulnerability. While some are complaining that Netgear is being rather non-responsive to complaints/queries, it doesn't mean they are not trying to create and test a fix/patch etc. Maybe by Wednesday we'll see Netgear officially acknowledge a fix/patch for this problem. In the meanwhile, I'll remain reserved on being overly critical. Btw, it is rather peculiar that Netgear would have certain items run at root. - Not what one might say is a safe practice.

 

[997440]

List of known affected routers and list of corrective beta firmware available, as reported by Netgear :

http://kb.netgear.com/000036386/CVE-2016-582384