Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Multiple Netgear routers are vulnerable to arbitrary command injection
Informations
NameVU#582384First vendor Publication2016-12-09
VendorVU-CERTLast vendor Modification2017-01-03
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score9.3Attack RangeNetwork
Cvss Impact Score10Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#582384

Multiple Netgear routers are vulnerable to arbitrary command injection

Original Release date: 09 Dec 2016 | Last revised: 03 Jan 2017

Overview

Netgear R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, and D6400 routers and possibly other models are vulnerable to arbitrary command injection.

Description

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-306: Missing Authentication for Critical Function, and CWE-352: Cross-Site Request Forgery (CSRF)

R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, and D6400 contain an unauthenticated command injection vulnerability that may be executed directly or via cross-domain requests. Known affected firmware versions include Netgear R7000 version 1.0.7.2_1.1.93, R6400 version 1.0.1.12_1.0.11, and R8000 version 1.0.3.4_1.1.2. Earlier versions may also be affected. The command injection vulnerability has been assigned CVE-2016-6277.

By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:

http:///cgi-bin/;COMMAND

An exploit demonstrating these vulnerabilities has been publicly disclosed.

Netgear's advisory indicates that the R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, and D6400 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated in their advisory that all listed models now have firmware updates available.

Impact

By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers.

Solution

Apply an update

Netgear has released firmware updates for the affected models specified in their advisory. Users are strongly encouraged to update as soon as possible. For users unable or unwilling to apply a firmware fix, we recommend the following workarounds.

Disable web server

The very vulnerabilities that exist on affected routers may be used to temporarily disable the vulnerable web server until the device is restarted:
http:///cgi-bin/;killall$IFS'httpd'
Note that after performing this step, your router's web administration not be available until the device is restarted. Please see Bas' Blog for more details.

Do not enable remote administration

Enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to leave remote administration disabled, or disable it if is has been enabled previously.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Netgear, Inc.Affected09 Dec 201611 Dec 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal9.3E:H/RL:U/RC:C
Environmental7.0CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://kb.netgear.com/000036386/CVE-2016-582384
  • https://www.exploit-db.com/exploits/40889/
  • https://cwe.mitre.org/data/definitions/77.html
  • http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
  • https://kalypto.org/research/netgear-vulnerability-expanded/

Credit

Thanks to Chad Dougherty for alerting us to this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-6277
  • Date Public:07 Dec 2016
  • Date First Published:09 Dec 2016
  • Date Last Updated:03 Jan 2017
  • Document Revision:65

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/582384

CWE : Common Weakness Enumeration

%idName
100 %CWE-352Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Hardware1
Os2
Os2
Os1
Os1
Os1
Os1
Os1
Os1
Os1
Os1
Os1

Nessus® Vulnerability Scanner

DateDescription
2016-12-14Name : The remote router is affected by a remote command execution vulnerability.
File : netgear_cmd_exec.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
DateInformations
2017-01-04 00:20:26
  • Multiple Updates
2016-12-22 21:24:49
  • Multiple Updates
2016-12-19 21:24:03
  • Multiple Updates
2016-12-19 17:23:28
  • Multiple Updates
2016-12-15 13:25:11
  • Multiple Updates
2016-12-15 00:22:44
  • Multiple Updates
2016-12-14 21:25:51
  • Multiple Updates
2016-12-14 17:23:41
  • Multiple Updates
2016-12-14 00:23:57
  • Multiple Updates
2016-12-13 21:24:04
  • Multiple Updates
2016-12-13 00:20:52
  • Multiple Updates
2016-12-12 17:23:36
  • Multiple Updates
2016-12-12 09:24:09
  • Multiple Updates
2016-12-12 00:22:25
  • Multiple Updates
2016-12-11 00:22:38
  • Multiple Updates
2016-12-10 00:22:57
  • Multiple Updates
2016-12-09 21:21:38
  • First insertion