A high-severity remote code execution vulnerability was discovered affecting multiple Netgear small office and home office (SOHO) routers. The vulnerability is a buffer overflow flaw in the Universal Plug and Play (UPnP) feature that is used to detect changes within devices on the network and could allow network-adjacent attackers to take control of a system. This attack does not require authentication to perform, meaning any user with network access to the impacted device could perform the attack.
The buffer overflow exists in how the UPnP feature accepts UNSUBSCRIBE requests from clients. This allows an attacker to send a specially crafted HTTP request of type UNSUBSCRIBE to an affected device, along with a malicious payload to execute. This malicious payload could include anything from resetting the administrative password to gaining direct access to the device. Once an attack has compromised the device, attackers would be able to monitor any traffic going in and out of it, as well as use it to launch attacks against other systems connected to the device.
A proof-of-concept has been created to exploit this vulnerability and obtain access to an affected device, meaning this attack may start being used in the wild. Netgear has released patches to fix this vulnerability in most of the affected devices and is continuing to release patches for the rest. This vulnerability is being tracked as CVE-2021-34991.
Individuals that use the affected devices are recommended to patch the vulnerability immediately, if possible. The UPnP feature of the affected routers can also be disabled to prevent the exploitation of this vulnerability. Since the vulnerability can only be utilized if an attacker is on the network, it is important to make sure that only authorized devices can connect to the local network. Likewise, making sure connected devices are fully patched and have proper security controls on them can help prevent attackers on infected systems from gaining more access to a network. For organizations with large remote workforces, it is important to make sure that all traffic to and from the organization’s network from remote workstations is done securely over a virtual private network (VPN). This helps make sure that any infected networking devices cannot intercept and potentially read sensitive information.