Netgear Remote Code Execution Vulnerability CVE-2021-40847 PSV-2021-0204

Netgear Warns Certain of Routers Impacted by Remote Code Execution Vulnerability
Netgear recommends urgent firmware upgrades for impacted routers.

Background:
On September 20, Netgear informed its customers about CVE-2021-40847, which details a Remote Code Execution vulnerability impacting some of the routers in its product line. They recommend firmware updates to remediate the problem. This vulnerability is urgent, considering Netgear routers are ubiquitous and are critical network infrastructure within small and home offices.

Vulnerability Details:
Security researcher Grimm disclosed the vulnerability impacting many Netgear routers. The vulnerability allows for Remote Code Execution (RCE) as root. The vulnerability exploits Circle, a parental control tool.
According to the researcher, the Circle Update Daemon that is exploited is enabled by default, despite Circle itself not being enabled by default. The update daemon being enabled means that the router is vulnerable whether or not the end user of the router enables or utilizes any of the Circle Functionality.
To exploit this vulnerability, the researcher created a Man In The Middle server that is inserted between the network uplink and the router. The MiTM server intercepts details about the router, then it sends a crafted packet informing the router to download malicious firmware updates. The firmware updates allowed the researcher to establish a root shell to the impacted router.

Mitigation:
Netgear recommends updating the router firmware as soon as possible. Included below is a list of impacted router lines and the fixed firmware version. Please follow the instructions on the advisory, as firmware updates vary by device.
• R6400v2 fixed in firmware version 1.0.4.120
• R6700 fixed in firmware version 1.0.2.26
• R6700v3 fixed in firmware version 1.0.4.120
• R6900 fixed in firmware version 1.0.2.26
• R6900P fixed in firmware version 3.3.142_HOTFIX
• R7000 fixed in firmware version 1.0.11.128
• R7000P fixed in firmware version 1.3.3.142_HOTFIX
• R7850 fixed in firmware version 1.0.5.76
• R7900 fixed in firmware version 1.0.4.46
• R8000 fixed in firmware version 1.0.4.76
• RS400 fixed in firmware version 1.5.1.80
Depending on the Work From Home status of an environment, it is important to work with remote workers to ensure their routers are not impacted by this vulnerability.

Resources:
Security Advisory by Netgear
https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
Blog Post By Grim
https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html
NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2021-40847
CISA Advisory
https://us-cert.cisa.gov/ncas/current-activity/2021/09/21/netgear-releases-security-updates-rce-vulnerability