It has not been a good year for the internet of
things, security-wise.
We’ve seen a series of IoT-based DDoS attacks cause
widespread
disruption of major websites, the release of urgent firmware
patches and forced recall
of vulnerable webcams, and European internet users have their internet access
torn away after their routers were exploited.
And despite our attempts to encourage users and
manufacturers to take greater care over
router security, it’s clear that many are turning a blind eye to the
problem. If you need any greater illustration of that, consider ESET’s own
research which determined that at least 15% of
all home routers used weak passwords and 20% have open telnet ports.
Now, there’s a new threat.
The United States Computer Emergency Readiness Team
(US-CERT) has issued a warning that multiple Netgear routers
contain a serious vulnerability that allows a remote unauthenticated attacker
to execute arbitrary commands with root privileges on affected routers.
Netgear R7000, firmware
version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version
1.0.1.12_1.0.11 and possibly earlier, contain an arbitrary command injection
vulnerability. By convincing a user to visit a specially crafted web site, a
remote unauthenticated attacker may execute arbitrary commands with root
privileges on affected routers. A LAN-based attacker may do the same by issuing
a direct request, e.g. by visiting:
http://<router_IP>/cgi-bin/;COMMAND
An exploit leveraging this vulnerability has been
publicly disclosed by a researcher calling themselves Acew0rm, who claims he informed Netgear of the issue on
August 25th.
AceW0rm has now released a video of what he
describes as the “pretty bad” exploit, seemingly in an attempt to encourage a
prompt fix.
The flaw is truly trivial to exploit, and is
reported to have been confirmed in Netgear’s R7000 and R6400 models. The R8000
router, running firmware version 1.0.3.4_1.1.2, is also thought to be
vulnerable.
US-CERT doesn’t mince its words when it comes to
its advice for consumers who own vulnerable devices:
Users who have the option of doing so should strongly consider discontinuing
use of affected devices until a fix is made available.
That seems reasonable advice when you consider just
how easily an attacker could trick an unsuspecting internet user into clicking
on a boobytrapped link to compromise their router. And, as there are millions
of vulnerable routers connected to the internet, this is clearly a serious
problem.
Netgear says it is aware of the security issue, and is working on
releasing a firmware update that fixes the command injection vulnerability “as
quickly as possible.”
Mindful that many users would prefer to have a fix
sooner rather than later, Netgear is offering beta versions of the firmware
update to users who want to apply it.
The company is also keen to emphasise that “being
pro-active rather than re-active to emerging security issues is fundamental”,
and urges anyone who uncovers a security issue in its products to make contact
via security@netgear.com.