Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models

Netgear, the router company has released another round of patches to remediate a high-severity remote code execution vulnerability which can affect multiple routers that could be exploited by remote attackers to take control of an affected system.

The vulnerability is CVE-2021-34991 (CVSS score: 8.8), which is a pre- authentication buffer overflow flaw identified in the Universal Plug and Play (UPnP) feature which is used to detect changes within devices on the network. It could also allow network-adjacent attackers to take control of a system. The authentication is not required to perform the attack, which means any attacker which has the access to network to the impacted device can perform the attack.

UPnP daemon accepts unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests —that devices use to receive notifications from other devices when certain configuration changes, such as media sharing, happen.

Adam Nichols a security researcher at GRIMM, a memory stack overflow bug in the code that handles the UNSUBSCRIBE requests, which active an adversary to send a specially crafted HTTP request and run malicious code on the affected device, including resetting the administrator password and delivering arbitrary payloads. Once the password has been reset, the attacker can then login to the webserver and modify any settings or launch further attacks on the webserver.

Nichols said that the UPnP daemon runs as root which is the highest privileged user in Linux’s. The code which is executed on behalf of the attacker will be run as root as well. With the help of root access on a device, an attacker can read and modify all traffic that is passed through the device. It is said that for the first-time in networked devices, the UPnP vulnerable implementations have been uncovered.

Security researcher Yunus Çadirci discovered Call Stranger vulnerability (CVE-2020-12695, CVSS score: 7.5) in June 2020, wherein a remote unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, which will result in amplified DDoS attacks and data exfiltration.

CVE-2021-34991: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110.

CVSS Scores & Vulnerability Types:

CVSS Score 8.3
Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.)
Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.)
Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Execute Code
CWE ID 787

 

Impact of Remote Code Execution Vulnerability:

Remote code execution can leave the application and users at a high-risk, resulting in an impact on confidentiality, and integrity of data. An attacker who can execute commands with system or server privileges can:

  • Add, read, modify, delete files
  • Change access privileges
  • Turn on and off configurations and services
  • Communicate to other servers

Remediation Remote Code Execution Vulnerability:

It is necessary to focus on the importance of having robust security measures in place. We should always be aware of how our server handles user-provided information. We can mitigate remote code execution by using the following techniques:

  • Timely patching or installation of software updates is an essential preventative measure
  • Avoid using user input inside the evaluated code.
  • Don’t use functions such as eval at all.
  • Use safe practices for secure file uploads and never allow a user to decide the extension or content of files on the web server.