What is the discovered vulnerability?
The vulnerability discovered is CVE-2021-40847, with a CVSS score of 8.1, therefore, we are facing a very serious vulnerability. This vulnerability consists of a remote code execution that affects many models of the manufacturer, due to this remote code execution, an attacker could take complete control of the affected router and carry out other types of attacks within the victim’s network.
This vulnerability, paradoxically, resides in Disney’s Circle, a third-party component that is included in NETGEAR’s firmware to offer the service of Parental control from the manufacturer, and that it is one of the best parental controls that we can have today on our home router. Circle uses an update process that runs by default even if we have not configured Circle’s parental controls, this allows an attacker with network access to obtain remote code execution (RCE) and gain access with root permissions on the router through the typical Man in the Middle attack.
This attack is possible because the process called “Circled” connects with Circle and NETGEAR to download the latest parental control updates, this process is done without any type of signature to verify that we are actually downloading the legitimate update, in addition, it is It does using the HTTP protocol, a protocol that does not have any type of data encryption or authenticity, therefore, with a Man in the Middle attack, communication can be intercepted and an attacker can send a specifically designed illegitimate update file. Also, this code runs as root on the routers, therefore we have full permissions to execute arbitrary code.
Router Models Affected
The vast majority of NETGEAR routers that use Disney’s Circle (although we do not have it enabled), are vulnerable to this serious security flaw, below, you can see all the router models:
- R6400v2
- R6700
- R6700v3
- R6900
- R6900P
- R7000
- R7000P
- R7850
- R7900
- R8000
- RS400
In all these routers a firmware update has already been released to correct this failure, below, you can see the firmware versions from which this security failure is solved in NETGEAR routers. If there is a higher version, we recommend you install the latter, we must remember that the manufacturer NETGEAR updates its routers by solving security flaws, bugs and also adding new functionalities on a very regular basis.
- R6400v2 (fixed in version 1.0.4.120)
- R6700 (fixed in version 1.0.2.26)
- R6700v3 (fixed in version 1.0.4.120)
- R6900 (fixed in version 1.0.2.26)
- R6900P (fixed in version 3.3.142_HOTFIX)
- R7000 (fixed in version 1.0.11.128)
- R7000P (fixed in version 1.3.3.142_HOTFIX)
- R7850 (fixed in version 1.0.5.76)
- R7900 (fixed in version 1.0.4.46)
- R8000 (fixed in version 1.0.4.76)
- RS400 (fixed in version 1.5.1.80)
If you have any of these routers and you do not have it updated to the latest version, we recommend doing it as soon as possible to prevent someone from exploiting this security flaw.
