Netgear has released a fix for a vulnerability on several of their product models. The affected product models include extenders, routers, air cards, and modems.

The vulnerability was discovered by researchers at GRIMM, but prior to the planned disclosure date, Netgear released a patch that fixed the underlying bug in one of the affected devices.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-34991 and described as a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the universally unique identifier (uuid) request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

The vulnerability received a CVSS score of 8.8 out of 10 because of some limiting factors. One consolation in the above is that the attacker already has to be inside the LAN to perform this attack. But once they are, the attacker can send a specially crafted header to the UPnP daemon and can remotely run code with root privileges on the affected device.

Another limiting factor for the attacker lies in the fact that the copy function which overflows the stack is a string copy. As such, it will stop copying characters when it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes. All of the addresses within the UPnPd daemon contain a NULL character as the Most Significant Byte (MSB). But, the researchers that discovered this vulnerability created a Proof-of-Concept (PoC) which bypasses this limitation by omitting the gadget’s MSB in the payload, and then immediately ends the payload. The string copy which overflows the stack will automatically NULL terminate the string, and thus write a single NULL byte. However, this technique has the disadvantage that it can only write a single NULL byte at the end of the payload. As such, the exploit can only run a single gadget via this technique.

UPnP

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services. By design, the daemon accepts unauthorized requests of clients that want to receive updates when the UPnP configuration of the network changes. For example, the Xbox One uses UPnP to configure port forwarding necessary for gameplay.

The eternal dilemma

UPnP is a convenient way of allowing gadgets to find other devices on your network and, if necessary, modify your router to allow for device access from outside of your network. A UPnP client can obtain the external IP address of your network and add new port forwarding mappings as part of its setup process.

This is extremely convenient from a consumer perspective as it makes it a lot easier to set up new devices. Unfortunately, with this convenience have come multiple vulnerabilities and large-scale attacks which have exploited UPnP.

Very often, security issues arise from the developers’ inclination to make things easier for their users. It seems there is an impossible to find balance between security and ease of use. It should not be so hard to make secure the default, and if the user wants to increase the ease of use then there should be an option to do so temporarily. Why would you have to open the floodgates permanently just to let one boat in?

Affected devices

This list will not be inclusive because some organizations, and ISPs in particular, have a habit of rebranding routers and other network equipment. But a list of product models and the required firmware version can be found in the Netgear security advisory.

How to make sure you are safe

Netgear strongly recommends that you download the latest firmware as soon as possible.

  1. Visit Netgear Support.
  2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. If you do not see a drop-down menu, make sure that you enter your model number correctly, or select a product category to browse for your product model.
  3. Click Downloads.
  4. Under Current Versions, select the first download that begins with Firmware Version.
  5. Click Release Notes.
  6. Follow the instructions in the firmware release notes to download and install the new firmware.

For cable products, new firmware is released by your Internet service provider after NETGEAR releases it to them. Firmware fixes for the following cable products have been released to all service providers:

  • CAX80

Stay safe, everyone!