Multiple Netgear routers are vulnerable to arbitrary command injection

Archive
1

Overview

Netgear R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 routers and possibly other models are vulnerable to arbitrary command injection.

Description

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-306: Missing Authentication for Critical Function, and CWE-352: Cross-Site Request Forgery (CSRF)

R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 contain an unauthenticated command injection vulnerability that may be executed directly or via cross-domain requests. Known affected firmware versions include Netgear R7000 version 1.0.7.2_1.1.93, R6400 version 1.0.1.12_1.0.11, and R8000 version 1.0.3.4_1.1.2. Earlier versions may also be affected. The command injection vulnerability has been assigned CVE-2016-6277.

https://www.kb.cert.org/vuls/id/582384 

NETGEAR is aware of the security issue #582384 that allows unauthenticated web pages to pass form input directly to the command-line interface. A remote attacker can potentially inject arbitrary commands which are then executed by the system.

NETGEAR has tested the following products and confirmed that they are vulnerable:

All products followed by an asterisk (*) have beta firmware fixes available—see below.

  • R6250*
  • R6400*
  • R6700*
  • R6900*
  • R7000*
  • R7100LG*
  • R7300DST*
  • R7900*
  • R8000*
  • D6220*
  • D6400*

NETGEAR is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible.

http://kb.netgear.com/000036386/CVE-2016-582384 

2

Hi Sharon,

No, I don't think so.  Only routers and only the ones listed above.

3

Will the security vulnerability impact a Netgear Wifi Extender (EX 6200)?

4

Firmware is often updated to patch known vulnerabilities, as above.  My ISP automatically updates the routers I have supplied by them so yours probably does too.  I agree with Hugh though, no harm in checking with them.

5

ahhh so the firmware doesn't always need to be updated?

6

I don't know if they do it automatically but I suggest you ask the ISP you use.

I'm on Spectrum (formerly BrightHouse) and their phone support once you get through to the network specific section -- try checking their webpage under Support and see if it's a different number to the one on your bill.

They should be able to tell you or it may be something they only do if you have a problem, which is a sensible way of doing it. If it ain't broke don't fix it ....

7

how does one update the firmware in the router? My router is supplied by my ISP. Do they automatically send the updates to the router. Mine is NOT a netgear brand

8

All products now have production firmware fixes available.

  • R6250
  • R6400
  • R6700
  • R6900
  • R7000
  • R7100LG
  • R7300DST
  • R7900
  • R8000
  • D6220
  • D6400