Netgear Won’t Patch 45 Router Models Vulnerable to Serious Flaw | Threatpost

Netgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. While some of these models are outdated, other vulnerable router models were released just three years ago, prompting security experts to question the timeframe Netgear has chosen to support its own products.

The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers – sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models – but Netgear says that 45 of those router models are outside of its “security support period.”

“Netgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,” Netgear said in a press statement. “The remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.”

A full list of the router models that won’t be patched – as well as those that have fixes being rolled out – is available on Netgear’s website.

It’s important to note that many routers that won’t receive updates are outdated or have reached EOL (End of Life). For instance, one such Modem Router that won’t receive an update, the AC1450 series, is as old as 2009. However, other router models are newer models that are still available for retailers and haven’t been discontinued: For instance, the R6200 and R6200v2 wireless routers were unveiled in 2017 and are still available for retailers. The Nighthawk R7300DST is another wireless router that didn’t get an update: This model was first available in 2016.

Threatpost has reached out to Netgear for further comment.

The Flaw

According to the Zero Day Initiative (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” according to ZDI. “Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

The flaw was reported to Netgear on Jan. 8, 2020, and on June 15, 2020 the security advisory for the flaw was publicly released without a patch available. Additionally, a PoC exploit was published by the GRIMM blog on June 15.

Netgear has rolled out patches for 34 of the vulnerable models since the flaw was disclosed.  That includes releasing “security hotfixes” for the models, which are fixes that are applied on top of existing, fully tested firmware.

“Releasing hotfixes allows Netgear to quickly update existing products and streamline the firmware verification process without going through full regression testing,” according to Netgear. “These hotfixes are targeted at specific security issues and should have minimal effect on other areas of the product’s code.”

Patch Timeline Backlash

Several security experts are criticizing Netgear for its patching policies and procedures. Brian Gorenc, senior director of vulnerability research and head of Trend Micro’s Zero Day Initiative (ZDI) program, told Threatpost that the vulnerabilities disclosed represent some of the most severe bug categories available.

“Unfortunately, there are too many examples of vendors abandoning devices that are still in wide use – sometimes even when they are still available to purchase,” Gorenc told Threatpost. “Maybe we need to recommend manufacturers who support their products for longer – especially in our digitally connected lives. If we reward good communications and long-term support from vendors, maybe this abandonment problem will get better.”

Zach Varnell, senior AppSec consultant at nVisium, said that the disclosure on this vulnerability “appears to be more than generous since the researcher followed responsible disclosure practices and even gave an extension when asked for it.”

“It’s unfortunate for anyone who owns one of those routers but that’s the reality of product lifecycles,” said Varnell. “Basically everything – including software, toys, cars, electronics, appliances – will reach an age where their manufacturer will no longer support them. The duration of support varies widely and software tends to be on the shorter side since new development is done much more rapidly than hardware.”

“Consumers should always ensure their devices are still supported by manufacturers and check the available support before purchasing a new device,” said Gorenc.

Vulnerabilities in routers have been discovered several times over the past year. In March, Netgear warned users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. In July, a pair of flaws in ASUS routers for the home were uncovered that could allow an attacker to compromise the devices – and eavesdrop on all of the traffic and data that flows through them.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.