Netgear is facing a race against time to release a patch for 79 of its routers dating as far back as 2007 after it was discovered a serious vulnerability existed in their firmware. So serious in fact, a hacker is able to remotely take control of your router.
As ZDNet reports, the security flaw was discovered by two researchers independently. The first is Adam Nichols, lead of the Software Application Security team at GRIMM. The second is a researcher only known as d4rkness, who works for the Vietnamese ISP called VNPT. Nichols detailed the vulnerability on the GRIMM blog, but only after giving Netgear several months notice in which to produce patches for the routers, which the company has yet to do. The full list of affected router models has been posted on GitHub.
The vulnerability stems from the web server Netgear uses on its routers, which Nichols explains “has had very little testing” and unsurprisingly is therefore open to exploitation. In this case, Netgear isn’t validating the user input for its administration panel properly, it isn’t using “stack cookies,” which protect against buffer overflow attacks, and the web server code isn’t compiled using Position-independent Executable (PIE), so it can’t take full advantage of address space layout randomization (ASLR), which again protects against buffer overflow attacks.
When you put all that together, the result is a router that can be exploited remotely using nothing more than crafted malicious HTTP requests. In total, some 758 different firmware versions contain the vulnerability, which Netgear has used across 79 different router models for the past 13 years.
Nichols managed to craft an exploit for each of the 758 vulnerable firmware images and tested 28 to ensure they worked as expected. Netgear was informed of the vulnerability on Jan 8 this year and then requested more time to produce patches before details of the vulnerability were made public. Netgear’s extended time ran out on June 15, and now the details are being released. Netgear’s request to extend its time to the end of June was declined, but hopefully that means patches will appear within the next couple of weeks.