Netgear, a networking equipment firm, has issued yet another set of fixes to address a high-severity remote code execution vulnerability that affects several routers and may be used by remote attackers to take control of a system.
The number assigned to this vulnerability is CVE-2021-34991, with a CVSS score of 8.8. By exploiting a flaw in the UPnP feature, which allows devices to reveal each other’s presence on the same local network and open ports required to connect to the public Internet, the pre-authentication buffer overflow flaw in the small office and home office (SOHO) routers can lead to code execution with the highest privileges.
Due to its pervasive nature, UPnP is employed by a broad range of devices, including personal computers, video game consoles, networking equipment, and internet of things (IoT) devices. The vulnerability arises from the UPnP daemon’s acceptance of unverified HTTP SUBSCRIBE and UNSUBSCRIBE requests. They’re event notification alerts that allow devices to be notified by other devices when certain configuration changes, such as media sharing, occur.
However, according to GRIMM security researcher Adam Nichols, the code that processes UNSUBSCRIBE requests has a memory stack overflow flaw. It allows an attacker to submit a specially crafted HTTP request to the compromised device and execute malicious code, such as changing the administrator password and sending arbitrary payloads. After the password has been changed, the attacker may log in to the webserver and change any settings and conduct more assaults against it.
Because the UPnP daemon operates as root, the most privileged user in a Linux system, the code executed on the attacker’s behalf will also run as root, according to Nichols. An attacker with root access to a device can read and alter every traffic that passes through it. It’s far from the first time that susceptible UPnP implementations in networked devices have been discovered.
In June 2020, security researcher Yunus Adirci identified the CallStranger vulnerability (CVE-2020-12695, CVSS score of 7.5), which allows a remote, unauthenticated attacker to transmit traffic to arbitrary locations, potentially leading to enhanced DDoS strikes and data exfiltration. Furthermore, in a 2018 attack, 45,000 routers with weak UPnP services were used to distribute EternalBlue and EternalRed vulnerabilities on infected computers.