Netgear Leaves Unpatched Vulnerabilities In Nighthawk Router

Netgear-modem
Netgear R6700v3
Source: Netgear

Researchers have discovered half a dozen high-risk vulnerabilities in the latest firmware version of the Netgear Nighthawk R6700v3 router. At the time of publication, the defects remain uncorrected.

Nighthawk R6700 is a popular dual bank WiFi router advertised with gaming-focused features, smart parental controls, and internal hardware powerful enough to meet the needs of home users.

The six flaws were discovered by researchers at cybersecurity firm Tenable and could allow a network attacker to take full control of the device:

  • CVE-2021-20173: A post-authentication command injection fault in the device’s update functionality, making it susceptible to command injection.
  • CVE-2021-20174: HTTP is used by default on all device web interface communications, risking the interception of the username and password as clear text.
  • CVE-2021-2075: The SOAP interface (port 5000) uses HTTP to communicate by default, risking the interception of the username and password as clear text.
  • CVE-2021-23147: Execution of the command as root without authentication via a connection to the UART port. Exploitation of this flaw requires physical access to the device.
  • CVE-2021-45732: Configuration manipulation via hard-coded encryption routines, allowing modification of locked parameters for security reasons.
  • CVE-2021-45077: All user names and passwords for device services are stored as plain text in the configuration file.

In addition to the aforementioned security concerns, Tenable found several instances of jQuery libraries based on version 1.4.2, known to contain vulnerabilities. The researchers also note that the device uses a MiniDLNA is a server version with publicly known flaws.

POST request forcing an update check to mine CVE-2021-20173
POST request forcing an update check to mine CVE-2021-20173
Source: Tenable

The recently revealed flaws affect firmware version 1.0.4.120, which is the latest version of the device.

Users are advised to replace the default credentials with something unique and strong and follow recommended security practices for a more robust defense against malware infections.

Also check out Netgear firmware download portal regularly and install new versions as they become available. Enabling automatic updates on your router is also recommended.

The current safety report refers to Netgear R6700 v3, which is still supported, not Netgear R6700 v1 and R6700 v2, which have reached end of life. If you are still using the old models, it is recommended that you upgrade them.

Tenable disclosed the above issues to the vendor on September 30, 2021, and although some exchange of information in the form of clarifications and suggestions has taken place subsequently, the issues remain unanswered.

We’ve reached out to Netgear to ask for a comment on the above, and we’ll add an update to this story as soon as we hear from them.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Trending this Week