CVE-2016-11057

Vulnerability

Multiple NETGEAR router models—including JNR1010v2, WNR614, WNR618, JWNR2000v5, WNR2020, JWNR2010v5, WNR1000v4, WNR2020v2, R6220, and WNDR3700v5—before firmware updates dated 2017-01-06 mishandle repeated URL calls, allowing authentication bypass to the router's configuration interface [1]. The vulnerability is triggered when an attacker repeatedly calls a specific URL, defeating the security mechanism intended to authenticate the administrator [1].

Exploitation

An attacker must first gain network access to the targeted router, either by connecting wirelessly, via an Ethernet connection, or remotely from the Internet if the remote management feature is enabled [1]. By default, remote management is turned off, so exploitation from the WAN side is only possible if the administrator has explicitly enabled that setting [1]. Once on the network, the attacker scripts repeated requests to a particular URL to bypass authentication and access the router settings page [1].

Impact

Successful exploitation allows an unauthenticated attacker to gain access to the router's administrative settings page [1]. This access can lead to full compromise of the device, including changing configuration, exfiltrating or modifying network traffic, and potentially pivoting to other devices on the network. The impact is rated as high, with a CVSS base score of 8.8 [1].

Mitigation

NETGEAR released firmware fixes for all affected models prior to 2017-01-06, addressing the vulnerability [1]. Users should update their router firmware to the latest version via the Router Update page or NETGEAR genie app [1]. As a workaround, ensure remote management is disabled (the default setting) and block unauthorized access to the network by using strong Wi-Fi passwords, changing the administrator password, and employing device blocking features in NETGEAR genie [1]. This vulnerability is not listed on the CISA KEV catalog.