10 zero day flaws in NETGEAR routers allow remote network hacking. No patch available

Cybersecurity specialists reported the finding of at least 10 critical vulnerabilities in R6700 routers, by tech firm NETGEAR. Successful exploitation of these flaws could lead to multiple malicious scenarios, such as arbitrary code execution, Man-in-The-Middle (MiTM) attacks, theft of sensitive information, among other attacks.

Below are brief overviews of the reported flaws, in addition to their respective scores according to the Common Vulnerability Scoring System (CVSS). It should be clarified that these reports do not yet have a CVSS tracking key assigned.

  1. Incorrect authentication: The vulnerability exists due to an error processing authentication requests within UPnP. A remote attacker on the local network can send a specially crafted UPnP message, bypass the authentication process, and gain unauthorized access to the application.
  2. Buffer overflow: This vulnerability exists due to a limit error within the UPnP service. A remote threat actor could trigger buffer overflow and execute arbitrary code on the target system, leading to full compromise of the affected resources.
  3. Incorrect certificate validation: Generated by the absence of certification validation in downloading files over HTTPS. A remote attacker on the local network can access sensitive information on the target system.
  4. Download code without integrity check: The affected software does not perform software integrity verification when downloading updates within the “check_ra” functionality, so hackers could perform MiTM attacks.
  5. Using a Vulnerable Encryption Algorithm: The encryption of firmware update images within the “check_ra” functionality is tessable, which exposes the target system to the execution of arbitrary code.
  6. Buffer overflow: This flaw exists due to a limit error in handling file uploads in the STRINGS table that allows arbitrary code execution.
  7. Integer overflow: This is an integer overflow flaw in handling the strings table file uploads. This could be exploited by a malicious hacker to execute arbitrary code on the target system.
  8. Information exposure: There is inadequate access control within the handling of URLs. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.
  9. Stack-based buffer overflow: A limit error within the httpd service would allow remote threat actors to trigger a stack-based overflow to execute arbitrary code on the target system.
  10. Stack-based buffer overflow: The vulnerability exists due to a limit error in handling the file loads of the STRINGS table, which could be exploited by a hacker to trigger a stack-based buffer overflow.

Although most of these flaws can be exploited remotely, a potential attacker will require authenticated access to the vulnerable system. In addition, an exploit useful for any of these attacks has not been detected.

On the other hand, NETGEAR has not released updates for these errors and updates may never be released. There are also no workarounds, so users will need to take other steps to protect their networks.