Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Netgear Starts Patching Serious Vulnerabilities Affecting Tens of Products

Netgear has started releasing patches for ten vulnerabilities affecting nearly 80 of its products, including flaws disclosed last year at the Pwn2Own hacking competition.

Netgear has started releasing patches for ten vulnerabilities affecting nearly 80 of its products, including flaws disclosed last year at the Pwn2Own hacking competition.

All of the security holes were reported to Netgear through Trend Micro’s Zero Day Initiative (ZDI), including five by a hacker who uses the online moniker d4rkn3ss, from VNPT ISC, and five by Pedro Ribeiro and Radek Domanski of Team Flashback.

Ribeiro and Domanski disclosed the flaws at the Pwn2Own Tokyo 2019 hacking contest in November 2019, which earned them $25,000.Ten flaws impact 49 Netgear products

The vulnerabilities were reported to Netgear in November 2019 and January and February 2020. The vendor asked ZDI to extend its public disclosure deadline on two occasions saying that it needed more time to develop patches, but ZDI declined the second request and published its advisories with a “0day” status on June 15. No CVE identifiers have been assigned to the flaws.

The bugs disclosed at Pwn2Own, four of which have been rated high severity, can be exploited by an unauthenticated attacker with network access to the targeted Netgear device for arbitrary code execution, including with admin or root privileges, and to bypass authentication.

The vulnerabilities reported by d4rkn3ss can be exploited by a network-adjacent attacker for remote code execution and to obtain user credentials.

The Cybersecurity and Infrastructure Security Agency (CISA) has published an alert advising users and administrators to take action to prevent potential attacks, and CERT/CC has published an advisory describing one of the most serious vulnerabilities, which allows unauthenticated remote code execution with root privileges.

This vulnerability was also independently discovered by researchers at cybersecurity firm GRIMM, which has published a blog post describing the issue, along with proof-of-concept (PoC) exploit code.

Advertisement. Scroll to continue reading.

Netgear’s advisory lists 79 devices as being affected, including routers, mobile routers, modems, gateways and extenders. The company has so far released patches for 28 devices, but CERT/CC noted that some products have reached end of life (EOL) and they may never receive fixes.

Related: Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers

Related: DoS Vulnerabilities Patched in NETGEAR N300 Routers

Related: Flaws Affecting Top-Selling Netgear Routers Disclosed

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...