More than 40 Netgear routers will not receive RCE bug patches

In June of this year, experts Adam Nichols and d4rkn3ss warned that 79 models of Netgear routers are vulnerable to a serious bug that could allow hackers remotely take full control of the device. It has now become known that over 40 Netgear routers will not receive the RCE bug patches.

The vulnerability affects 758 different firmware versions that have been used in 79 Netgear routers over the years, and some firmware versions can be found on devices released back in 2007.

The issue is related to the web server component that is included with the Netgear firmware. This web server is used to support the built-in administration panel.

“As it turns out, the server does not validate user input correctly, does not use canary’s cookies to protect memory, and the server binary is not compiled as Position-independent Executable (PIE), which means that ASLR protection is not applied”, – said the experts.

As a result, as experts from Carnegie Mellon University wrote that many Netgear devices are susceptible to a stack buffer overflow that occurs when the httpd web server processes the upgrade_check.cgi file, and as a result, can lead to remote execution of an arbitrary code without authentication and with root- privileges.

Now The Register reports that Netgear developers have decided not to release fixes for 45 models of vulnerable devices, despite the fact that a PoC exploit is already available on the network. The fact is that the support period for these devices has already expired, and Netgear specialists considered that the RCE bug was not a reason to make exceptions.

Devices intended for home users, as well as for small and medium-sized businesses, were mostly left without patches. Trend Micro’s Zero Day Initiative specialist Brian Gorenc told reporters that such situations, unfortunately, are quite common:

“Unfortunately, there are many examples of manufacturers abandoning support for devices that are still widely used and sometimes even available for purchase. We hope manufacturers will be clear about their support policies and device lifecycles so consumers would be able to make informed choices”, — said Brian Gorenc.

Below are the vulnerable Netgear device models that will not receive patches:

  • AC1450
  • D6300
  • DGN2200v1
  • DGN2200M
  • DGND3700v1
  • LG2200D
  • MBM621
  • MBR1200
  • MBR1515
  • MBR1516
  • MBR624GU
  • MBRN3000
  • MVBR1210C
  • R4500
  • R6200
  • R6200v2
  • R6300v1
  • R7300DST
  • WGR614v10
  • WGR614v8
  • WGR614v9
  • WGT624v4
  • WN2500RP
  • WN2500RPv2
  • WN3000RP
  • WN3000RPv2
  • WN3000RPv3
  • WN3100RP
  • WN3100RPv2
  • WN3500RP
  • WNCE3001
  • WNCE3001v2
  • WNDR3300v1
  • WNDR3300v2
  • WNDR3400v1
  • WNDR3400v2
  • WNDR3400v3
  • WNDR3700v3
  • WNDR4000
  • WNDR4500
  • WNDR4500v2
  • WNR3500v1
  • WNR3500Lv1
  • WNR3500v2
  • WNR834Bv2

I also recall that a year ago, Cisco Talos experts warned about dangerous vulnerabilities in NETGEAR routers.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Bug in Firefox for Android devices

Firefox bug allowed stealing cookies from Android devices

Independent information security expert Pedro Oliveira spoke about the CVE-2020-15647 bug, which he discovered in …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.