Netgear released a firmware update announcement: more than ten routers are affected by the Circle RCE security vulnerability
Netgear: more than ten routers are affected by security vulnerability.
Netgear just issued a security bulletin, providing users of more than ten routers under its umbrella to update the firmware as soon as possible.
Affected by a security vulnerability that can be exploited by an attacker to execute code remotely, you may even become a victim without using the relevant software.
The specific affected models include R6400v2, R6700, R6700v3, R6900, R6900P, R7000, R7000P, R7850, R7900, R8000, and RS400.
Considering that the correspondence between the actual retail name of the product and the model code is not easy to distinguish, it is recommended that users check the label on the bottom of the Netgear router to identify whether they have been recruited.
If you are unlucky, please go to the Netgear official website support page , enter the device model and download the corresponding patch, and then refer to the release notes to update the firmware smoothly.
Figure-1: Create a malicious Circle database
The security company Grimm pointed out in a blog post: The vulnerability stems from the Circle third-party parental control software originally designed by Disney.
As an optional feature, it is pre-installed on many Netgear routers even if the user does not need it.
Adam Nichols explained: “The update process of the Circle parental control service on the router allows remote attackers with network access to execute remote code (RCE) by forging root identity through man-in-the-middle attacks (MitM)”.
Figure-2: Create a package file with an absolute path (tarball on Linux platform)
Unfortunately, even if parental control is not enabled by default on the affected Netgear routers, Circle’s update daemon will be enabled by default.
Nichols added: The daemon connects to Circle and Netgear to obtain information such as version numbers and update its filtering database.
But the most worrying thing is that the database updates from Netflix are not signed and are downloaded via the insecure HTTP hypertext transfer protocol (rather than HTTPs).
This means that the initiator of a man-in-the-middle attack can insert a specially crafted database file into the communication traffic.
After the file is extracted, the attacker can use the code under his control to overwrite the executable file.