Netgear has patched an elevated remote code execution (RCE) flaw detected in the Circle Parental Control Service, which operates with root permissions on nearly a dozen modern Netgear routers for Small Offices/Home Offices (SOHO).
It is usually expected that the attack vector exposed by the Circle security issue (CVE-2021-40847) would get deleted once the service is shut. But the Circle update daemon containing the problem is active by default and can be abused even if the service is terminated.
The Circle Parental Control Service update process on different Netgear routers lets remote attackers with network access acquire RCE as root through a Man-in-the-Middle (MitM) attack.
After exploiting this flaw successfully, the attacker can get total control of network traffic going via the hacked router, allowing them to access encrypted data sent by other devices, including those on the victim’s business network.
Threat actors may employ the following chain of attacks to infiltrate a corporate network after taking control of a Netgear router used by one of its employees:
- The attacker does a preliminary investigation to discover the ISP that the target corporation’s employees use.
- Another method the attacker uses is to access the ISP (via phishing, exploit, etc.).
- From within the ISP, attackers can exploit any routers susceptible to the Circle Parental Control Service vulnerability.
- The attacker can communicate directly with any business PCs linked to the network from the hacked routers. The attackers can then control these computers by exploiting a different vulnerability, such as the latest PrintNightmare vulnerability.
- Once the business PCs have been hacked, the attackers can go to the corporate network and exfiltrate corporate data or start other attacks on the company.
Here is the list containing model numbers of Netgear routers susceptible to CVE-2021-40847 exploits and their patched firmware versions:
- R6400v2 – Firmware version 1.0.4.120
- R6700 – Firmware version 1.0.2.26
- R6700v3 – Firmware version 1.0.4.120
- R6900 – Firmware version 1.0.2.26
- R6900P – Firmware version 3.3.142_HOTFIX
- R7000 – Firmware version 1.0.11.128
- R7000 – Firmware version 1.3.3.142_HOTFIX
- R7850 – Firmware version 1.0.5.76
- R7900 – Firmware version 1.0.4.46
- R8000 – Firmware version 1.0.4.76
- RS400 – Firmware version 1.5.1.80