What's the deal with these router vulnerabilities?

Published: 2022-12-01
Last Updated: 2022-12-01 00:20:28 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Earlier today, I was browser recently made public vulnerabilities for tomorrow's version of our @Risk newsletter. What stuck out was a set of about twenty vulnerabilities in Netgear and DLink routers:

CVE-2022-44186 -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_pri.
CVE-2022-44187 -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via wan_dns1_pri.
CVE-2022-44188 -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter enable_band_steering.
CVE-2022-44190 -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter enable_band_steering.
CVE-2022-44191 -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameters KEY1 and KEY2.
CVE-2022-44193 -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameters: starthour, startminute , endhour, and endminute.
CVE-2022-44194 -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec.
CVE-2022-44196 -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_push1.
CVE-2022-44197 -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.
CVE-2022-44198 -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_push1.
CVE-2022-44199 -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.
CVE-2022-44200 -  Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow via parameters: stamode_dns1_pri and stamode_dns1_sec.
CVE-2022-44184 -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_sec.
CVE-2022-44201 -  D-Link DIR823G 1.02B05 is vulnerable to Commad Injection.
CVE-2022-44202 -  D-Link DIR878 1.02B04 and 1.02B05 are vulnerable to Buffer Overflow.
CVE-2022-44801 -  D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control.
CVE-2022-44804 -  D-Link DIR-882 1.10B02 and1.20B06 is vulnerable to Buffer Overflow via the websRedirect function.
CVE-2022-44806 -  D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow.
CVE-2022-44807 -  D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow via webGetVarString.

Interestingly, both the Netgear and the D-Link security pages are silent about it. The D-Link.

The Netgear page lists another vulnerability for today. D-Link's page appears to have yet to be updated. The last D-Link vulnerability seems to have been patched about two years ago.

All vulnerability point to the same GitHub repo for exploit code, but the link in the NVD database isn't working. The repository, however, exists with various IoT vulnerabilities and exploits. It is hard to match up the vulnerabilities with specific exploits.

So what does this all mean:

  1. Vendors aren't going to save you.
  2. Your router is probably vulnerable.
  3. If you still have the admin interface exposed (and that is what appears to be targeted here): Consider yourself lucky. Someone else will probably upgrade the router for you to prevent others from taking hold of it.
  4. Use a non-default password and a non-default network address scheme internally to make attacks via the browser (SSRF, CSRF...) more difficult.
  5. Use a "proper" open-source router. (OPNSense, PFSense...) . At least you will not have paid a vendor for software they stopped supporting during beta testing, and I find them MUCH easier to keep up to date.

Sorry for the rant.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
1 comment(s)

Comments

Could it be that the navigation / listing you are following is not being maintained? I do find their lack of CVE references to be frustrating, they stopped some time in 2021?

I searched Support for the R7000P and found Firmware Version 1.3.3.154 (release notes https://kb.netgear.com/000065225/R7000P-Firmware-Version-1-3-3-154) publised 12-October-2022. I also found other, currently unmitigeted security bulletins, by searching for R7000P on https://www.netgear.com/about/security/.

Example: https://kb.netgear.com/000065243/Security-Advisory-for-Multiple-Vulnerabilities-on-the-R7000P-PSV-2022-0144-PSV-2022-0145.

Diary Archives