Security Advisory for Remote Command Execution and CSRF Vulnerabilities on DGN2200

This security advisory addresses the following CVE vulnerabilities: CVE-2017-6077 and CVE-2017-6334. This advisory addresses the following NETGEAR PSV numbers: PSV-2017-0739, PSV-2017-0740, and PSV-2017-0745.

NETGEAR is aware of two related security vulnerabilities that could potentially allow a remote attacker to gain access to a modem router.

Remote Command Execution

The first of these vulnerabilities, CVE-2017-6077, allows an attacker to take over the modem router and execute commands on it. This vulnerability can occur under either of the following conditions:

1. An attacker has access to the internal network and knows the router’s administrator password.
2. Remote management is enabled on the modem router and the administrator password is set to the default value.

Remote management is turned off by default, so a user must have affirmatively turned on remote management through advanced settings and not changed the default administrator password for the modem router to be vulnerable to a remote attack. Otherwise, the attacker must have access to the local network.

The following device was tested and found to be vulnerable to this remote command execution vulnerability:

• DGN2200v1

An independent security researcher reported that DGN2200 versions 2, 3, and 4 were also allegedly vulnerable. However, NETGEAR never sold or shipped a product SKU DGN2200v2 (DGN2200 version 2). NETGEAR has tested both of the other products (DGN2200 versions 3 and 4) and confirmed that they are both not vulnerable.

NETGEAR has released a firmware fix for this vulnerability, DGN2200v1 firmware version 1.0.0.55. NETGEAR strongly recommends that all affected users install the latest firmware for their product. For more information about how to find and install the latest firmware for your NETGEAR product, see the Firmware Update section of this security advisory.

Regardless of whether your product is affected by this vulnerability, NETGEAR recommends that you follow both parts of the workaround procedure recommended in this article.

Cross-Site Request Forgery (CSRF)

The second reported vulnerability, CVE-2017-6334, allows an attacker to use CSRF to gain administrator privileges and execute commands on the modem router after using the remote command execution vulnerability to gain access.

This vulnerability can be exploited by an attacker on your local network. An attacker on the local area network (LAN) could exploit this vulnerability by tricking a logged-in user into visiting a malicious website or using a malicious program. An attacker on the guest network (WAN) can only exploit this vulnerability if the administrator password is set to the default value.

The following device was tested and found to be vulnerable to this CSRF vulnerability:

• DGN2200v1

Since this advisory was first posted, NETGEAR has confirmed that the CSRF vulnerability also affects the following devices, which are no longer supported:

• WGR614v8
• WGT624v4
• WNR834Bv2
• WNDR3300
• WNMR834
• WNR3500

An independent security researcher reported that DGN2200 versions 2, 3, and 4 were also allegedly vulnerable. However, NETGEAR never sold or shipped a product SKU DGN2200v2 (DGN2200 version 2). NETGEAR has tested both of the other products (DGN2200 versions 3 and 4) and confirmed that they are both not vulnerable.

NETGEAR has released a firmware update that significantly decreases the risk of CSRF exploits for DGN2200v1 users, firmware version 1.0.0.55. NETGEAR strongly recommends that all affected users install the latest firmware for their product. For more information about how to find and install the latest firmware for your NETGEAR product, see the Firmware Update section of this security advisory.

Regardless of whether your product is affected by this vulnerability, NETGEAR recommends that you follow both parts of the workaround procedure recommended in this article.

Workaround

NETGEAR strongly recommends that all users change their router or modem router’s administrator password from the default password. If you change your admin password from the default password, your router or modem router is protected from the remote command execution vulnerability. Changing your administrator password is also a good security practice.

For more information about changing your password, see the following documents:

• DGN2200v1: N300 Wireless ADSL2+ Modem Router DGN2200 User Manual
• DGN2200v3 and DGN2200v4: How do I change the admin password on my NETGEAR router?
• WGR614v8 and WNDR3300: NETGEAR 54 Mbps Wireless Router WGR614v8 User Manual
• WGT624v4: 108 Mbps Wireless Router WGT624 v4 Reference Manual
• WNR834Bv2: NETGEAR RangeMax NEXT Wireless Router WNR834B User Manual
• WNR3500: NETGEAR RangeMax Wireless-N Gigabit Router WNR3500 User Manual

To reduce your chances of being affected by CSRF exploits, including the DGN2200v1 CSRF vulnerability, follow the web security recommendations in this knowledge base article: How can I reduce my risk of exposure to CSRF, XSRF, or XSS attacks?.

For more information about CSRF, see page 12 of The Ten Most Critical Web Application Security Risks from the Open Web Application Security Project (OWASP).

Firmware Update

To download the latest firmware for your NETGEAR product:

1. Visit the NETGEAR Download Center.
2. Under Search for, select the check box next to Firmware/Software.
3. Start typing your model number in the search box and select your model from the drop-down menu as soon as it appears.
   If you do not see a drop-down menu, make sure that you entered your model number correctly, or use the product drilldown to find your model.
4. Click Release Notes under the most recent firmware version, which is the one closest to the top of the list. 

Make sure that you are viewing release notes for a firmware version and not a software utility or an app. The title of the release notes page always begins with the words “Firmware Version.”

5. Follow the instructions in the release notes to download and install the new firmware.

NETGEAR is not responsible for any consequences that could have been avoided by updating your firmware, changing your administrator password, and following web security best practices as recommended in this notification.

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit https://bugcrowd.com/netgear. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

For all other issues, visit http://www.netgear.com/about/security/.

The security@netgear.com email address is no longer accepting messages and is no longer actively monitored.