Archive for December, 2016

Netgear r7000 Command Injection Temporary Workaround

Sunday, December 11th, 2016

On Friday CERT issued a warning about the Netgear r7000 and R6400 lines of routers. They are vulnerable to a trivial, unauthenticated command injection via the internal-facing HTTP administrative interface.

proof_of_vuln

Yeah, that’s almost as bad as it gets.

There’s plenty of other reporting for confirmation, exploit info, and further details. However, CERT’s official guidance is, well, not all that practical for a lot of people:

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround: Discontinue use”

Since Netgear is so far mum on when they’re going to issue a patch, and not everyone has the luxury of getting a new router or doing without indefinitely, there are a couple of workarounds. The first is to use the vulnerability itself to kill the admin web interface; that appears to work, though the router will become vulnerable again next time it reboots.

A better solution is to migrate clients to a network that has no access to the admin interface. The r7000 at least (I can’t speak for other lines) has the ability to make guest wireless networks; since the guest networks have no access by default to the admin web interface, clients on those networks can’t be used to exploit it. This won’t work to isolate clients that physically plug into the router. Also, if you’re currently using the guest network feature for isolating some machines from others, then you all get to be on one network until a patch comes out.

So, as a temporary workaround, we can rename and hide the “main” network and create a new guest network using the same configuration options as the old main network. Clients will see the new one and migrate to it.

Step 1: Physically Connect to the Router

Physically plug your machine into the back of the router; we’re going to be messing with the wireless networks, you don’t want to lose access in the middle. Access the admin console (http://[router-address]/, where your router address is probably 192.168.1.1 or 10.0.0.1), and log in using your credentials (admin/password if you haven’t changed it… which you should have).

Step 2: Record The Configuration

Browse to the “Wireless” tab on the left and copy down details of your primary wireless network. You’ll use these to configure the new guest network.

Step 3: Disable Main Wireless Network

Still on the Wireless tab, change the “Name (SSID)” of the network(s) (both if you’re using both 2.4GHz and 5GHz) to something like DONOTUSE. It’s not necessary, but unchecking “Enable SSID Broadcast” will prevent it from cluttering up your network view. Hit apply, and wait for the change to apply and the page to reload.

disable_primary_network

Step 4: Configure and Enable Guest Networks

Browse to the “Guest Network” tab on the left and fill in the details you copied down from the primary page. Ensure that “Enable Guest Network” is checked, and “Allow guests to see eachother and access my local network” is unchecked.  Hit apply, and wait for the change to apply and the page to reload.

guest_network_config

 

Now, any clients will transparently migrate to the new guest networks, and clients on those networks won’t be able to exploit the vulnerability.

So, it’s something, but keep watching for an official patch.