PS. 原文转自http://www.kb.cert.org/vuls/id/582384
Vulnerability Note VU#582384
Multiple Netgear routers are vulnerable to arbitrary command injection
Original Release date: 09 12月 2016 | Last revised: 14 12月 2016
Overview
Netgear R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 routers and possibly other models are vulnerable to arbitrary command injection.
DescriptionCWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-306: Missing Authentication for Critical Function, and CWE-352: Cross-Site Request Forgery (CSRF)
R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 contain an unauthenticated command injection vulnerability that may be executed directly or via cross-domain requests. Known affected firmware versions include Netgear R7000 version 1.0.7.2_1.1.93, R6400 version 1.0.1.12_1.0.11, and R8000 version 1.0.3.4_1.1.2. Earlier versions may also be affected. The command injection vulnerability has been assigned CVE-2016-6277.
By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
http://<router_IP>/cgi-bin/;COMMAND
An exploit demonstrating these vulnerabilities has been publicly disclosed.
Netgear's advisory currently or has previously listed that the R6200, R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, D6400, and D7000 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated that their advisory will be updated as firmware updates are released. |
Impact
By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. |
Solution
The CERT/CC is currently unaware of a practical solution to these problems and recommends the following workaround. |
Disable web server
The very vulnerabilities that exist on affected routers may be used to temporarily disable the vulnerable web server until the device is restarted:
http://<router_IP>/cgi-bin/;killall$IFS'httpd'
Note that after performing this step, your router's web administration not be available until the device is restarted. Please see Bas' Blog for more details.
Do not enable remote administration
Enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to leave remote administration disabled, or disable it if is has been enabled previously.
Discontinue use
Exploiting these vulnerabilities is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available. |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated | Netgear, Inc. | | 09 Dec 2016 | 11 Dec 2016 |
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group | Score | Vector | Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | Temporal | 9.3 | E:H/RL:U/RC:C | Environmental | 7.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Chad Dougherty for alerting us to this vulnerability. This document was written by Joel Land.
Other Information
- CVE IDs: CVE-2016-6277
- Date Public: 07 12月 2016
- Date First Published: 09 12月 2016
- Date Last Updated: 14 12月 2016
- Document Revision: 54
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
|