Unpatched Netgear vulnerability leaves routers exposed

Flaw allows hackers to execute arbitrary shell commands on affected devices.

Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.

An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but did not hear back.

The issue stems from improper input sanitization in a form in the routers web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.

The U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS).

Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400 and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgears Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500 and R9000.

Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/w . If this shows any information other than a error or a blank page, the router is likely affected.

In some cases, replacing the IP address with www.routerlogin.net or www.routerlogin.com might also work, because Netgear routers resolve these domains names to their own local IP address.

Since the vulnerability can be exploited with an HTTP request that does not require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers do not have their management interfaces exposed to the Internet.

CSRF attacks hijack users browsers when visiting specifically crafted web pages and send unauthorized requests through them. This makes it possible for a malicious website to force a users browser to exploit the router over the LAN.

CERT/CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the routers web server and prevent future attacks. This can be done with the following command: http://[router_IP_address]/cgi-bin/;killall$IFS"httpd" .

Because the web server will be shut down, the management interface will no longer be available and further attempts to exploit the vulnerability will fail, but this is only a temporary solution and needs to be reapplied every time the router is rebooted.

In order to protect themselves from CSRF attacks against routers in general, users should change their routers default IP address. Most of the time, routers will be assigned the first address in a predefined netblock, for example 192.168.0.1, and these are the addresses that hackers will try to attack via CSRF.

Routers have become an attractive target for hackers in recent years as they can be used to spy on user traffic and launch other attacks. Most commonly they are infected with malware and used in distributed denial-of-service (DDoS) campaigns.

There are many steps that users can take to improve the security of their routers and make it less likely that they will get hacked.