Posts: 14,244 +158
In brief: Netgear has issued firmware updates for nearly a dozen routers after learning of a vulnerability that can be exploited for remote code execution. Worse yet, you don't even need to be using the associated software to become a victim.
Netgear’s security advisory notes that affected models include the R6400v2, R6700, R6700v3, R6900, R6900P, R7000, R7000P, R7850, R7900, R8000 and the RS400. For proper identification, simply check the sticker on the back or the bottom of your Netgear router to see if it matches one of the models listed above.
In the event your model is impacted, simply head over to Netgear’s support site. There, you can enter your model number and download the appropriate patch. Follow the instructions in the release notes to install the updated firmware.
(The PoC exploiting the Circle update on the R7000. Credit Grimm)
According to this blog post from security firm Grimm, the vulnerability is related to third-party parental control software called Circle that was originally designed by Disney. The optional software, even if it wasn’t utilized, came pre-installed on several Netgear routers. As Grimm's Adam Nichols explains:
The update process of the Circle Parental Control Service on various Netgear routers allows remote attackers with network access to gain RCE as root via a Man-in-the-Middle (MitM) attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default.
Nichols said the daemon connects to Circle and Netgear to get things like version information and to update its filtering database. Notably, the database updates from Netgear are unsigned and download over HTTP instead of the more secure HTTPS.
This means that an attacker who can pull off a MitM attack can insert a specially-crafted database file. When this file is extracted, it can give the attacker "the ability to overwrite executable files with attacker-controlled code."
Circle discontinued its MyCircle app and Circle Go mobile device management software for the Circle 1st gen app at the end of last year, but said the changes do not apply to its Circle on Netgear products.