We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Save 25% today on your first year of EP or EDR – See offer
Update now! Netgear vulnerability patched
Exploits and vulnerabilities
Posted: by
Netgear has released a fix for a vulnerability on several of their product models. The affected product models include extenders, routers, air cards, and modems.
The vulnerability was discovered by researchers at GRIMM, but prior to the planned disclosure date, Netgear released a patch that fixed the underlying bug in one of the affected devices.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34991 and described as a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the universally unique identifier (uuid) request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
The vulnerability received a CVSS score of 8.8 out of 10 because of some limiting factors. One consolation in the above is that the attacker already has to be inside the LAN to perform this attack. But once they are, the attacker can send a specially crafted header to the UPnP daemon and can remotely run code with root privileges on the affected device.
Another limiting factor for the attacker lies in the fact that the copy function which overflows the stack is a string copy. As such, it will stop copying characters when it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes. All of the addresses within the UPnPd daemon contain a NULL character as the Most Significant Byte (MSB). But, the researchers that discovered this vulnerability created a Proof-of-Concept (PoC) which bypasses this limitation by omitting the gadget’s MSB in the payload, and then immediately ends the payload. The string copy which overflows the stack will automatically NULL terminate the string, and thus write a single NULL byte. However, this technique has the disadvantage that it can only write a single NULL byte at the end of the payload. As such, the exploit can only run a single gadget via this technique.
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services. By design, the daemon accepts unauthorized requests of clients that want to receive updates when the UPnP configuration of the network changes. For example, the Xbox One uses UPnP to configure port forwarding necessary for gameplay.
UPnP is a convenient way of allowing gadgets to find other devices on your network and, if necessary, modify your router to allow for device access from outside of your network. A UPnP client can obtain the external IP address of your network and add new port forwarding mappings as part of its setup process.
This is extremely convenient from a consumer perspective as it makes it a lot easier to set up new devices. Unfortunately, with this convenience have come multiple vulnerabilities and large-scale attacks which have exploited UPnP.
Very often, security issues arise from the developers’ inclination to make things easier for their users. It seems there is an impossible to find balance between security and ease of use. It should not be so hard to make secure the default, and if the user wants to increase the ease of use then there should be an option to do so temporarily. Why would you have to open the floodgates permanently just to let one boat in?
This list will not be inclusive because some organizations, and ISPs in particular, have a habit of rebranding routers and other network equipment. But a list of product models and the required firmware version can be found in the Netgear security advisory.
Netgear strongly recommends that you download the latest firmware as soon as possible.
For cable products, new firmware is released by your Internet service provider after NETGEAR releases it to them. Firmware fixes for the following cable products have been released to all service providers:
Stay safe, everyone!
SHARE THIS ARTICLE
COMMENTS
RELATED ARTICLES
Exploits and vulnerabilities
September 12, 2019 – The Heartbleed vulnerability was discovered and fixed in 2014, yet today—five years later—there are still unpatched systems.
Exploits and vulnerabilities
November 19, 2019 – With even more exploit kits in town, the drive-by download landscape shows continued activity in fall 2019.
Exploits and vulnerabilities | Threat Intelligence
April 7, 2020 – This fake, copycat Malwarebytes site was set up by cybercriminals to distribute malware in a malvertising campaign. We examine the campaign—and the criminals’ motives.
Exploits and vulnerabilities
June 23, 2020 – Zero-day vulnerabilities—and their potential, related attacks—can drive any security team mad. Here’s how you can bulk up your defenses.
Exploits and vulnerabilities | Web threats
October 20, 2020 – More open ports are inviting attackers to try and gain entry by using brute force attacks. Why is this happening and what can we do?
ABOUT THE AUTHOR

Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Silouette of person
Contributors

Malware
Threat Center

Malwarebytes Podcast
Podcast

Book with bookmark
Glossary

Suspicious person
Scams

Pencil
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.

source