Table of Contents
Adam Bannister
23 September 2021 at 12:47 UTC
Updated: 24 September 2021 at 09:07 UTC
Bug in third-party code offers salutary lessons around enterprise risk management, say researchers
UPDATED Multiple Netgear routers contained a third-party vulnerability that could lead to remote code execution (RCE) via Manipulator-in-the-Middle (MitM) attacks, security researchers have revealed.
Now patched, the vulnerability (CVE-2021-40847) was found in the update process for Circle, a third-party application that provides parental control features in the affected, small office/home office (SOHO) devices.
The Circle update daemon, , “connects to Circle and Netgear to obtain version information and updates” for its filtering database, infosec firm GRIMM explained in a blog post published on Tuesday (September 21).
RELATED VPN users unmasked by zero-day vulnerability in Virgin Media routers
However, database updates from Netgear were unsigned and downloaded via HTTP, which meant attackers could “respond to update requests with a specially-crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code.”
DNS-based MitM
Successful exploitation of the high-severity bug (CVSS 8.1) hinges on attackers being able to intercept and modify a vulnerable router’s network traffic.
But while the MitM “requirement does reduce the number of scenarios in which the vulnerability is exploitable, it doesn’t change the impact of successful exploitation,” GRIMM told The Daily Swig.
The researchers outlined a DNS-based MitM attack that raced DNS queries from the Circle update daemon. These races are reliably won with GRIMM’s proof-of-concept (PoC) exploit, making code execution “trivial to obtain”, said GRIMM.
Other forms of MitM attacks could potentially work too, added the firm.
The researchers said compromised routers could also form “part of a larger chain to infiltrate more secure environments”.
This could involve compromising the internet service provider (ISP) via phishing, before compromising vulnerable Netgear routers as well as computers connected to the devices via a flaw such as the PrintNightmare vulnerability, suggested GRIMM.
Attackers could then pivot to the corporate network to “exfiltrate corporate data or launch further attacks”.
‘Attack surface reduction’
GRIMM also said the “vulnerability once again demonstrates the importance of attack surface reduction” given that the Circle update daemon, unlike the parental controls, is enabled by default.
“While it doesn’t fix the underlying issue, simply disabling the vulnerable code when Circle is not in use would have prevented exploitation on most devices,” reads the blog post.
Read more of the latest hardware security news
Even though SOHO devices are designed for home offices or small businesses, the dramatic increase in home working due to the Covid-19 pandemic highlights a blind spot for enterprises, argued GRIMM.
“SOHO devices typically fly under the radar when it comes to cybersecurity risk management,” said the infosec firm, which recommends that enterprises use virtual private networks (VPNs) to mitigate SOHO risks.
GRIMM first attempted to notify the vendor of the flaw on July 23, making three attempts overall before notifying the US Cybersecurity and Infrastructure Security Agency (CISA) on August 9 and subsequently coordinating with Netgear.
The vendor released firmware upgrades on September 21. Affected models include R6400v2, R6700, R6700v3, R6900, R6900P, R7000, R7000P, R7850, R7900, R8000, and RS400.
Netgear has not responded to additional queries from The Daily Swig. We will update the story if and when it does.
This article was updated with a comment from GRIMM on September 24.
YOU MAY ALSO LIKE VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access
https://portswigger.net/daily-swig/netgear-fixes-rce-flaw-in-routers-parental-controls-feature
More Stories
How to set up parental controls on your PS5
Today’s young ones are tech-savvy at a quite younger age, but you may well not want your kids sitting down...
iOS 16.6.1 now out there to correct Display Time parental management bug
A thirty day period soon after iOS 16.6 was released by Apple, the company is now building iOS 16.6.1 obtainable...
The Ultimate Parental Management Application
Introduction In today’s technology-pushed planet, trying to keep observe of your children’s digital pursuits is a increasing issue. Mothers and...
2 in 3 Parents Report Their Boy or girl Has Been Negatively Influenced by Social Media
Even with reporting their young children have expert destructive outcomes of social media, a lot less than 50 percent of...
Parental Control Market Scope, & Growth Rate | 2023-2031
Parental Control Market Research Report with 104 pages (Analysis and Scope):Parental Control Market research report give overview of industry development,...
Xsolla to Showcase Parental Control, Expansion in Asian Market place, and New Partnerships at Devcom and Gamescom 2023
COLOGNE, Germany, August 15, 2023--(Business enterprise WIRE)--Xsolla, a world-wide movie activity commerce enterprise, is attending and presenting at Devcom Developer...