A Netgear router vulnerability that has remained unpatched for three months has now been publicly disclosed, placing users at risk of their devices being hacked.
So severe is the threat, that US-CERT has issued a stern warning to all users of the devices strongly advising them to replace the devices. US-CERT Coordination Center at Carnegie Mellon University assigned the Netgear router vulnerability a rating of 9.3 out of 10.
An exploit for the Netgear router vulnerability was published by a security researcher going by the handle Acew0rm on Friday last week. Acew0rm claims that he notified Netgear of the flaw in August this year, yet received no response and a patch has not yet to be developed.
Following the publication of the exploit, Netgear initially confirmed that its R6400, R7000, and R8000 are potentially vulnerable, although a researcher going by the name Kalypto claims that many other Netgear Nighthawk devices are also vulnerable, including its R7000, R7000P, R7500, R7800, R8500 and R9000 models.
The vulnerability allows remote command execution of Linux commands as a result of improper input sanitization in a form used by the web-based management interface of the routers. The vulnerability can be exploited even when management interfaces are not exposed to the Internet. Attackers could gain access to the devices using cross-site request forgery attacks (CSRF).
All that is required for a router to be compromised is for a user to visit a specially crafted webpage with commands written into the URL. If a user visited that webpage, an attacker could issue commands which would be accepted without any need for authentication.
Netgear has now confirmed that the following routers are vulnerable: R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000. The company is working on a new production firmware version that fixes the command injection vulnerability. The firmware upgrade will be rolled out as soon as it is available.
A beta version of the firmware is available for R6400, R7000, and R8000 models of Netgear routers and can be downloaded from Netgear’s firmware release page.
Until the firmware is updated, US-CERT recommends unplugging the router and stopping using it immediately. US-CERT says that when a fix is issued, the update should be loaded onto a flash drive and applied while the router is offline.