Updated with the possibility of DNS rebinding attacks and news that Netgear has released a hot fix for 2 routers. This story was first published in 2020/6/18.

At least 28, and possibly 79, Netgear home Wi-Fi router models are vulnerable to attacks both locally and possibly on the Internet.

This is according to a new report by Arlington of Virginia-based cybersecurity firm GRIMM. The Vietnamese security company VNPT ISC independently discovered the same flaw.

The problem, as is often the case with home Wi-Fi routers, is with the web server that is built into the router's firmware. The web server runs a web-based management interface where the router owner logs in with an administrative password.

A complete list of Netgear routers that are reliably affected and may be affected can be found at the end of this story. Tom's guide has contacted Netgear for comment and will update this story when we receive a reply.

Unfortunately, Netgear has not provided firmware updates for these routers, despite being told of a defect in May by Trend Micro's Zero-day initiative, which had acted on behalf of the Vnpt ISC

.

The patch may not appear on any of these routers until the end of the 6th month. Some of these routers have reached the end of support and probably won't get the patch at all.

If you own one of these routers, your best bet at the moment is to go to your management interface (tryhttps://192.168.1.1あ then select it if there is a advanced mode or tab and try to find something like "Web Service Management" or "Remote Management"). and."

You make sure that remote management is turned off so that no one can access the management settings of the router from an external network, i.e. the Internet,

This is a problem because anyone who has access to the local network can exploit this flaw." It is not possible to completely solve the problem. To prevent this, specify that only 1 machine on the local network can access the management interface.

The danger of that last solution is that the specified management machine must be specified by its IP address. Because IP addresses can change randomly (albeit infrequently) on the local network, they can be locked out of administrative access.

Lawrence Abrams of bleeping Computer points out that there is also a risk that malicious actors will exploit this flaw by using DNS rebind attacks.

In a DNS rebind attack, an attacker must control both a malicious website and a DNS server, which is one of the so-called "phone books" of the Internet.1

If an attacker lands on an attacker's website, the attacker can quickly manipulate DNS settings so that the request for a particular website is modified to point to a device in the home network, and then the website can use JavaScript or other code on the website to attack that device (in this case, a Netgear router).

The best way to avoid DNS rebinding attacks is to change your router's DNS settings to the free OpenDNS Home service.This allows you to exclude IP addresses that are reserved for your local network to prevent DNS requests from being sent. We have a lot more about it here.

Adam Nichols of GRIMM and researchers at the VNPT ISC found that two different models could use specific text strings to identify only as "d4rkn3ss" and bypass the login process in the Netgear management interface to put the router into update mode.

From there, if the input is too long, it triggers a buffer overflow (a very basic type of attack), allowing the attacker to give full power on the router and execute code on it.

"The entire update process can be triggered without authentication," Nichols wrote in an entry on github. "Therefore, an overflow in the update process can also be triggered without authentication."

As Nichols puts it in his highly detailed blog post: "Called 1996, they want their vulnerability back."

VNPT ISC's d4rkn3ss discovered that the attack was working on a Netgear R1750 router sold under the name Netgear Nighthawk AC6700Smart WiFi Dual Band Gigabit Router. "AC1750" is a Wi-Fi specification, not a model number. Nichols discovered that his exploits were working on a Netgear R6700 router that looks almost identical to the R7000, but sold as a Netgear Nighthawk AC1900Smart WiFi dual-band Gigabit router

"This vulnerability has been a major threat to the r7000 (and earlier versions) since it was released in 2013." It was present on other devices)," Nichols wrote in a GitHub post.

Both models were among the 50 odd routers for which Netgear pushed tons of firmware security updates in early May this year. But sadly, it was because of a completely different set of flaws. Ironically, the Netgear R7000 was one of the best, or perhaps most terrible, of 2018's 28 home Wi-Fi routers analyzed in an independent study on router security in late 1.

There is not much information about the d4rkn3ss research, but GRIMM's Nichols wrote in his blog post that "79 different Netgear devices and 758 firmware, including a vulnerable copy of the web server" (routers often go through several firmware updates over their work lives.

"I was able to create an exploit for each of the 758 vulnerable firmware images," he added, but in theory the attack was not necessarily real

so to be sure, Nichols "was able to make sure that the identified gadget worked as expected." We manually tested the exploit on 28 of the vulnerable devices in order to find out how to use it.

His list includes nearly every router Netgear has created since 2007, but few of Netgear's latest gaming models and no Orbi mesh-router line.

ZDI told Netgear about the flaw in early May 1. In early May, Netgear requested an extension from zdi of the non-disclosure window of 5 to 6/15, even though the standard 90-day window has already passed. ZDI agreed to this, but Netgear asked for another extension until the end of the 6th month, while ZDI did not agree to this.

Therefore, both ZDI and GRIMM have now published their findings. (At the time, Grimm, who was unaware of the previous discovery of the VNPT ISC, notified netgear of the defect in early May 5. But it's not always safe to use a Netgear router. Netgear regularly issues firmware patches and security alerts, making it relatively easy to install firmware updates. Many other well-known router brands do neither.

Just this week, D-Link gave users of its most popular routers a new one to take out the device because it doesn't update the machine despite a known software flaw.

This is because the D-Link router is 8 years old — still sold, supported and patched by Netgear. It is only 1 year older than the Netgear R7000, where the switch is applied.

These 28 Netgear router models and their associated firmware versions have been proven to be vulnerable by Nichols. Some model numbers have "v2" or "v3" attached, because Netgear often makes hardware changes to the model during its lifetime, while keeping the model number and appearance intact.

Update: Netgear has released a "hot fix" for r6400V2 and r6700V3, but both have to be updated to firmware version 1.0.4.92.

These are temporary workarounds, not permanent patches, and Netgear has included the following warning on its support page:

"Hotfixes were identified above in the pre-security deployment testing process, and these hotfixes have not been shown to affect device operability, but firmware fixes D6220, D6400, D7000V2, D8500, EX7000, R6900, and other fixes have been identified." R6900P, R7000, R7000P, R7100LG, R7850, R7900, R8000, R8500, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, R9000, wnr3500V2. Links to all patches can be found on the same Netgear Support page.

We can try to download the hot fix directly from the router's management interface, but it did not work for us. I had to download the hotfix file to my PC and then upload the file to my router through the management interface. Then everything went well.

On his GitHub account, Nichols has a much longer list of all 79 firmware versions running on 758 router models, but found it to be vulnerable, at least in theory.

It's too long to add here, but ZDNet friends have adapted here by subtracting the definitely proven vulnerable model above.

Here are 51 Netgear router models that are considered vulnerable but not yet proven.