Netgear has decided not to issue a firmware update to 45 of its nearly 80 router and gateway models affected by a remote code execution vulnerability that was disclosed at the end of June. Left unpatched, a hacker could effectively bypass the login credentials and take control of the router.
The prospect of having an attacker root around inside a router with unfettered access to settings is unsettling, to say the least. Fortunately, Netgear has issued patches addressing the flaw to 34 affected models, but unfortunately the other 45 models will never get an update because they are listed as being “outside [the] security support period.”
Two security researchers working at different firms discovered the flaw, as reported by ZDNet in June. One of them is Adam Nichols, head of the Software Application Security team at Grimm, a cybersecurity outfit in Arlington, Virginia, and the other goes by d4rkness and works for Vietnamese ISP VNPT.
Both published their findings through Trend Micro’s Zero Day Initiative (ZDI) program, which alerted the vulnerability to Netgear back in January. ZDI typically gives companies 90 days to issue security patches to discovered vulnerabilities before going public. In this case, Netgear had asked was granted an extension until mid-June, but its request for a second extension until the end of June was denied.
Nichols posted a proof-of-concept on GitHub, and also outlined the technical details of the flaw in a blog post. In short, the flaw resides in the web server component of affected models, which is tied to the built-in administration panel, and can be exploited locally or remotely.
“Netgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm. The remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer,” Netgear said a a statement (via Tom’s Guide).
Some of the unpatched routers go back to 2007, while others are more recently. These are not necessarily based on ancient standards, either. A few of them are Wi-Fi 5 (802.11ac) models, like the R7300DST pictured up top.
You can view a full list of affected models on Netgear’s related support page. If you own of the models that is not going to be patched, you should consider upgrading (check out our roundup of the best gaming routers). Otherwise, you may want to disable the Remote Management feature (see your router’s manual for instructions) to at least protect against remote attacks of this nature.