The IT Nerd

If you have a  R7000P, R7500, R7800, R8500, R9000, R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 router from Netgear, you have a serious problem. There is evidence to suggest that simply by visiting a specifically crafted website, the router could be recruited into being part of a distributed denial of service attack botnet. Sample attack code is already floating around the Internet. For example, it’s on Twitter:

Netgear R7000 Command Injection. https://t.co/TJvVdlEokU

— Acew0rm (@Acew0rm1) December 8, 2016

Plus there’s a YouTube video that illustrates this:

Here’s what is really bad about this situation. The exploit was initially published on Dec. 9, and later revealed by CERT on Dec. 11. Netgear did not go public with the issue until Dec. 12. That’s a serious #EpicFail on the  part of Netgear. On top of that, the official recommendation from CERT in terms of protecting yourself is to not use any of these routers.

If you want to find out if you’re affected by this, point your web browser to http://[router-address]/cgi-bin/;uname$IFS-a where [router-address] is replaced with the router’s local IP address. If the page that loads shows anything other than an error or blank page, the router is likely vulnerable.

Netgear has advised users that at present there are no firmware updates that fix this and affected users will have to download and manually install updates whenever they appear as no timetable currently exists. That means that there will be a lot of these routers out there just waiting to be exploited. If you have one, my advice is to dump it for pretty much any other router out there RIGHT NOW. After all, you don’t want your router to be part of a botnet do you?

In the meantime, Netgear has a lot of explaining to do.

This entry was posted on December 14, 2016 at 4:25 pm and is filed under Commentary with tags Netgear. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.