In June this year, experts warned that 79 models of Netgear routers are vulnerable to a serious bug that could allow hackers to remotely take full control of the device.
The vulnerability affects 758 different firmware versions that have been used in 79 Netgear routers over the years, and some firmware versions can be found on devices released back in 2007.
The issue is related to the web server component that is included with the Netgear firmware. This web server is used to support the built-in administration panel. As it turned out, the server incorrectly validates user input, does not use canary's cookies to protect memory, and the server binary is not compiled as Position-independent Executable (PIE), that is, ASLR protection is not applied.
In the end, how experts wrote from Carnegie Mellon University, many Netgear devices are susceptible to stack buffer overflows that occur when the httpd web server processes the upgrade_check.cgi file, and can eventually lead to remote unauthenticated and rooted arbitrary code execution.
As the publication now reports The register, the developers of Netgear decided not to release fixes for 45 models of vulnerable devices, despite the fact that a PoC exploit is already available on the network. The fact is that the support period for these devices has already expired, and Netgear specialists considered that the RCE bug was not a reason to make exceptions.
Devices intended for home users, as well as for small and medium-sized businesses, were mostly left without patches. Trend Micro's Zero Day Initiative specialist Brian Gorenc told reporters that such situations, unfortunately, do not occur so rarely:
“Unfortunately, there are many examples of manufacturers abandoning support for devices that are still widely used and sometimes even available for purchase. We hope manufacturers will be clear about their support policies and device lifecycles so that consumers can make informed choices. ”
Below are the vulnerable Netgear device models that will not receive patches: