The United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security (DHS), has published a security alert yesterday, warning owners of Netgear R6400 and R7000 models against using their routers for the time being, because of a severe security flaw.
The organization decided to issue this extreme advice after a user nicknamed “Acew0rm” had published
online for the two models.
“Exploiting this vulnerability is trivial,” CERT said. “Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.”
“The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround,” the organization added.
Exploit relies on a security flaw and social engineering
Netgear R7000 (firmware version 126.96.36.199_1.1.93 and possibly earlier) and R6400 (firmware version 188.8.131.52_1.0.4 and possibly earlier) are vulnerable, but CERT said that other router models might be affected.
The exploit is trivial, as the organization’s experts said, and relies on convincing a router owner in accessing a URL in the form of:
http://< router_IP >/cgi-bin/;COMMAND
An attacker may hide the exploit behind shortened URLs, which would greatly increase the chance of tricking a router owner in clicking the link.
Once this happens and the user’s router processes the URL, the command at the end of the link is executed on the router. This type of vulnerability is known as a command injection.
Exploit can lead to complete router takeover
Based on the attacker’s skill, he can take over the user’s router completely.
Because there’s no mitigation or workaround, CERT hopes router owners heed its advice and avoid a situation where a botnet operator bolsters its numbers with new zombies made of Netgear R6400 and R7000 routers.
In the past two weeks, botnet herders have used vulnerabilities to take over Eir D1000 modems, Zyxel AMG1302 and D-Link DSL-3780 routers from the infrastructure of Deutsche Telekom in Germany, and TalkTalk and Postal Office in the UK. The operator of a Mirai botnet offshoot has taken credit for these hijacks and claimed he owed at one point over 3 million devices.