Lucene search

K
thnThe Hacker NewsTHN:9359327FB0FF84D47C4321156FD64C6B
HistoryNov 18, 2021 - 12:59 p.m.

Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models

2021-11-1812:59:00
The Hacker News
thehackernews.com
153

8.8 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C

Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.

Tracked as CVE-2021-34991 (CVSS score: 8.8), the pre-authentication buffer overflow flaw in small office and home office (SOHO) routers can lead to code execution with the highest privileges by taking advantage of an issue residing in the Universal Plug and Play (UPnP) feature that allows devices to discover each other’s presence on the same local network and open ports needed to connect to the public Internet.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices.

Specifically, the vulnerability stems from the fact that the UPnP daemon accepts unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests — which are event notification alerts that devices use to receive notifications from other devices when certain configuration changes, such as media sharing, happen.

But according to GRIMM security researcher Adam Nichols, there exists a memory stack overflow bug in the code that handles the UNSUBSCRIBE requests, which enables an adversary to send a specially crafted HTTP request and run malicious code on the affected device, including resetting the administrator password and delivering arbitrary payloads. Once the password has been reset, the attacker can then login to the webserver and modify any settings or launch further attacks on the webserver.

“Since the UPnP daemon runs as root, the highest privileged user in Linux environments, the code executed on behalf of the attacker will be run as root as well,” Nichols said. “With root access on a device, an attacker can read and modify all traffic that is passed through the device.”

This is far from the first time vulnerable implementations of UPnP have been uncovered in networked devices.

In June 2020, security researcher Yunus Çadirci discovered what’s called a CallStranger vulnerability (CVE-2020-12695, CVSS score: 7.5) wherein a remote, unauthenticated attacker may be able to abuse the UPnP SUBSCRIBE capability to send traffic to arbitrary destinations, resulting in amplified DDoS attacks and data exfiltration. What’s more, no fewer than 45,000 routers with vulnerable UPnP services were previously leveraged in a 2018 campaign to deploy EternalBlue and EternalRed exploits on compromised systems.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

8.8 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C