Users of certain models of mass-market Netgear routers have been advised by Carnegie Mellon University's Computer Emergency Response Team (CERT) to stop using the devices until a serious and easily exploited flaw is fixed.
The CERT issued an advisory over the weekend for Netgear router models R6400 and R7000, with R8000 also believed to be vulnerable to arbitrary command injection.
Netgear firmware version 18.104.22.168_1.1.93 and earlier running on the above routers is vulnerable to the exploit.
Other models could also be affected by the flaw, which was discovered by a researcher using the moniker Acew0rm, the CERT said.
The vulnerability lies in the routers' browser-based management interface. The web server common gateway interface (CGI) protocol allows anyone to run arbitrary system commands with superuser (root) elevated privileges.
Exploiting the vulnerability is simple: on the local area network, an attacker can simply issue a URL with a command string appended.
To start up an unprotected telnet remote access daemon listening in on TCP port 45, all an attacker has to do is to type: http://IP-ADDRESS-OF-ROUTER/cgi-bin/;telnetd$IFS-p$IFS'45', where "IP-ADDRESS-OF-ROUTER" is the local IP address of the Netgear device, often 192.168.0.1 or similar.
Attackers can exploit the vulnerability remotely by tricking local users into clicking on similar command injection links.
Although the CMU CERT said it was "currently unaware of a practical solution" for the issue, Dutch researcher Bas van Schaik worked out a way to temporarily stop the vulnerability from being exploited.
It is possible to use the flaw to turn off the vulnerable web server in the affected routers, van Schaik discovered.
Users can issue this command:
Alternatively, most Netgear routers provide access to the management web server interface with this URL:
The command turns off the web server (httpd) so it no longer runs system commands via the CGI. After the command has been issued, it is not possible to access the management interface through a web browser, but the changes are not permanent and the web server will start up again if the router is restarted.
Netgear is yet to issue a security advisory or firmware fix for the vulnerability.
iTnews has contacted Netgear for comment.
Update 7am 13/12/16: Netgear has acknowledged the command injection issue, admitting its R6400, R7000 and R8000 might be vulnerable. The company said it is investigating the issue, but has yet to provide an update.
The flaw affects more devices than just the above three Netgear models: a researcher using the moniker Kalypto Pink tested further Netgear router models and found R7000P, R7500, R7800, R8500, and R9000 to be vulnerable.
It is possible to use the flaw to check your router for the vulnerability, van Schaik said.
If the UNIX “uname” command as per below returns any text output instead of an error message or blank page, the router in question is vulnerable to CGI command injection, he said.
Update 19/12: Netgear has tested a range of its routers for the vulnerability, and issued a production firmware update for the R6400, R7000, and R8000 models.
Beta firmware with a fix for the flaw is available for the Netgear R6250, R6700, R6900, R7100LG, R7300DST, R7900, D6220 and D6400 routers.