CVE-2017-18849

Vulnerability

A command injection vulnerability exists in the web interface of multiple NETGEAR devices. The affected models include D6220 (before 1.0.0.26), D6400 (before 1.0.0.60), D8500 (before 1.0.3.29), R6250 (before 1.0.4.12), R6400 (before 1.01.24), R6400v2 (before 1.0.2.30), R6700 (before 1.0.1.22), R6900 (before 1.0.1.22), R6900P (before 1.0.0.56), R7000 (before 1.0.9.4), R7000P (before 1.0.0.56), R7100LG (before 1.0.0.32), R7300DST (before 1.0.0.54), R7900 (before 1.0.1.18), R8000 (before 1.0.3.44), R8300 (before 1.0.2.100_1.0.82), and R8500 (before 1.0.2.100_1.0.82). The vulnerability allows an attacker to inject arbitrary commands through the administrative web interface [1].

Exploitation

An attacker on the local network can send a crafted HTTP request to the vulnerable web interface. The attacker does not need prior authentication to trigger the command injection. The specific request parameters that are vulnerable have not been publicly detailed, but the advisory indicates that the injection occurs during processing of user-supplied input [1].

Impact

Successful exploitation leads to arbitrary command execution on the device with root privileges. This allows the attacker to fully compromise the router or modem router, potentially intercepting traffic, modifying DNS settings, or using the device as a pivot point for further attacks [1].

Mitigation

NETGEAR has released firmware updates to fix this vulnerability. Users should update the affected models to the latest firmware version as listed: D6220 to 1.0.0.26, D6400 to 1.0.0.60, D8500 to 1.0.3.29, R6250 to 1.0.4.12, R6400 to 1.01.24, R6400v2 to 1.0.2.30, R6700 to 1.0.1.22, R6900 to 1.0.1.22, R6900P to 1.0.0.56, R7000 to 1.0.9.4, R7000P to 1.0.0.56, R7100LG to 1.0.0.32, R7300DST to 1.0.0.54, R7900 to 1.0.1.18, R8000 to 1.0.3.44, R8300 to 1.0.2.100_1.0.82, and R8500 to 1.0.2.100_1.0.82. No workaround is available besides updating the firmware [1].