Many Netgear router models contain serious RCE security holes

Network equipment maker Netgear has just released a patch for a critical vulnerability in some router models. Exploiting this vulnerability, hackers can deploy remote code execution (RCE) attacks to take control of the affected system.

This vulnerability is assigned code CVE-2021-40847 and affects the following router models:

1. R6400v2 (patched with firmware version 1.0.4.120)
2. R6700 (patched with firmware version 1.0.2.26)
3. R6700v3 (patched with firmware version 1.0.4.120)
4. R6900 (fixed with firmwaren 1.0.2.26)
5. R6900P (patched with firmware version 3.3.142_HOTFIX)
6. R7000 (patched with firmware version 1.0.11.128)
7. R7000P (patched with firmware version 1.3.3.142_HOTFIX)
8. R7850 (patched with firmware version 1.0.5.76)
9. R7900 (patched with firmware version 1.0.4.46)
10. R8000 (patched with firmware version 1.0.4.76)
11. RS400 (patched with firmware version 1.5.1.80)

According to GRIMM security researcher Adam Nichols, the vulnerability resides in Circle, a third-party component in the firmware. It provides parental control features in Netgear devices.

Many Netgear router models contain serious RCE security holes Picture 1

More dangerously, the problem is related to Circle's update mechanism (deamon), which is enabled by default even if the router has not been set up to limit access time. This leads to hackers being able to execute RCE as root through Man-in-the-Middle (MitM) attack.

Update daemon connects Circle and Netgear together to find and load updates to the filter database. However, neither side is certified and downloads using the HTTP protocol. Therefore, hackers can break into the connection to install malicious files.

To ensure safety, Netgear recommends that users immediately update to the latest firmware versions.

David Pac

Update 24 September 2021