Netgear leaves vulnerabilities unpatched in Nighthawk router

Researchers have discovered half a dozen high-risk vulnerabilities within the newest firmware model for the Netgear Nighthawk R6700v3 router. At publishing time the issues stay unpatched.

Nighthawk R6700 is a well-liked dual-bank WiFi router marketed with gaming-focused options, good parental controls, and inner {hardware} that’s sufficiently highly effective to accommodate the wants of house energy customers.

The six flaws have been found by researchers at cybersecurity firm Tenable and will permit an attacker on the community to take full management of the gadget:

• CVE-2021-20173: A post-authentication command injection flaw within the replace performance of the gadget, making it inclined to command injection.
• CVE-2021-20174: HTTP is utilized by default on all communications of the gadget’s internet interface, risking username and password interception in cleartext type.
• CVE-2021-20175: SOAP Interface (port 5000) makes use of HTTP to speak by default, risking username and password interception in cleartext type.
• CVE-2021-23147: Command execution as root with out authentication by way of a UART port connection. Exploiting this flaw requires bodily entry to the gadget.
• CVE-2021-45732: Configuration manipulation by way of hardcoded encryption routines, permitting the altering of settings which can be locked for causes of safety.
• CVE-2021-45077: All usernames and passwords for the gadget’s providers are saved in plaintext type within the configuration file.

On high of the aforementioned safety points, Tenable discovered a number of situations of jQuery libraries counting on model 1.4.2, which is understood to include vulnerabilities. The researechers additionally be aware that the gadget makes use of a MiniDLNA is server model with publicly identified flaws.

The just lately disclosed flaws have an effect on firmware model 1.0.4.120, which is the most recent launch for the gadget.

Customers are suggested to vary the default credentials to one thing distinctive and robust and comply with really helpful safety practices for extra strong protection towards malware infections.

Additionally, examine Netgear’s firmware obtain portal usually and set up new variations as quickly as they turn out to be out there. Turning on computerized updates in your router can also be really helpful.

The present safety report refers to Netgear R6700 v3, which remains to be below assist, not Netgear R6700 v1 and R6700 v2, which have reached finish of life. If you’re nonetheless utilizing the older fashions, it is strongly recommended to switch them.

Tenable disclosed the above points to the seller on September 30, 2021, and though some data alternate within the type of clarifications and ideas befell afterward, the issues stay unaddressed.

We’ve reached out to Netgear asking for a touch upon the above, and we’ll add an replace to this story as quickly as we hear again from them.