Researchers at GRIMM discovered a vulnerability in Small Office/Home Office (SOHO) Netgear routers that could allow an attacker to execute arbitrary code as root. The vulnerability is tracked as CVE-2021-40847 and lies in a third-party component included in the firmware. The code is part of Circle, which is used for parental controls on the devices. According to researchers, the code runs as root, and because of this, any exploitation by a threat actor could let them execute code as root. The Circle daemon is enabled by default and connects to Circle and Netgear to obtain version information, updates, and its filtering database. The database updates from Netgear are unsigned and are downloaded via Hypertext Transfer Protocol (HTTP), allowing the attacker to carry out a Man-in-the-Middle (MitM) attack on the device. Any attacker that has the ability to conduct a MitM attack can do so by responding to Circle update requests with a specifically crafted compressed database file, the extraction of which gives the attacker the ability to overwrite executables. For an attacker to successfully exploit the vulnerability, they must be able to intercept and modify the router’s network traffic.
Analyst Notes
Anyone using the affected routers listed below should ensure that they are updated to the latest firmware available. Typically, the threat from SOHO devices flies under the radar when it comes to corporate cybersecurity, but with the increase of employees working from home, the threat from these devices has increased. As a result, employees that are dealing with sensitive information at home should ensure they are using a VPN client to encrypt their traffic and prevent MitM attacks. Vulnerable devices include:
• R6400v2 – 1.0.4.106
• R6700 – 1.0.2.16
• R6700v3 – 1.0.4.106
• R6900 – 1.0.2.16
• R6900P – 1.3.2.134
• R7000 – 1.0.11.123
• R7000P – 1.3.2.134
• R7850 – 1.0.5.68
• R7900 – 1.0.4.38
• R8000 – 1.0.4.68
• RS400 – 1.5.0.68
https://securityaffairs.co/wordpress/122486/hacking/cve-2021-40847-netgear-soho-routers.html?utm_source=feedly&utm_medium=rss&utm_campaign=cve-2021-40847-netgear-soho-routers
