Researchers point out the vulnerability has not been patched. Related to firmware, the issue is located in the httpd web server and is described as a memory-safety flaw. Specifically, bad actors could bypass authentication on vulnerable Netgear routers. The issue has been found by both a researcher (d4rkn3ss) on One on the Zero Day Initiative (ZDI) and by Adam Nichols of cybersecurity company Grimm. “The specific flaw exists within the httpd service, which listens on TCP Port 80 by default,” according to the ZDI report. “The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.” Importantly, attackers wouldn’t need to have authentication to start a hack and could simply use root privileges for access. Nichols found the same flaw in the Netgear R7000 router series but said it is also present in a total of 79 devices. “This vulnerability affects firmwares as early as 2007 (WGT624v4, version 2.0.6),” he said. “Given the large number of firmware images, manually finding the appropriate gadgets is infeasible. Rather, this is a good opportunity to automate gadget detection.”
No Patch
Netgear was informed by ZDI in January but has missed the 90-day timeframe to fix the issue. With no patch in site, ZDI has disclosed the information. Netgear asked for the 90-day limit to be increased until the end of this month. However, ZDI decided to go public. Nichols pins the root of the problem on stack cookies, which will detect a stack buffer overflow before any malicious code can run. It is worth noting Netgear routers support this ability, but some firmware versions have not included it. “Later versions of the D8500 and R6300v2 stopped using stack cookies. Making this vulnerability once again exploitable,” Nichols explained in the post. “This is just one more example of how SOHO device security has fallen behind as compared to other modern software.” With no active patch available, owners of affected routers have a single mitigation to protect their devices. ZDI says users can restrict interaction with routers on trusted machines. “Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” according to the report. “This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”