{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/576779#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nMultiple Netgear devices contain a stack buffer overflow in the httpd web server's handling of <tt>upgrade_check.cgi</tt>, which may allow for unauthenticated remote code execution with root privileges.\r\n\r\n### Description\r\nMany Netgear devices contain an embedded web server, which is provided by the <tt>httpd</tt> process, to provide administrative capabilities. On multiple Netgear devices, this code fails to properly validate the header size provided to the <tt>upgrade_check.cgi</tt> handler. Despite copying the header to a fixed-size buffer on the stack, the vulnerable code copies an attacker-provided count of bytes from attacker-provided data. This allows for remote code execution by way of stack buffer overflow. This vulnerability is exacerbated by a number of issues:\r\n\r\n1. The <tt>httpd</tt> process runs with root privileges.\r\n2. Stack cookies, which can help prevent exploitation of stack buffer overflows, are not universally used in Netgear devices.\r\n3. Authentication is not required to reach the vulnerable code.\r\n4. The vulnerability occurs before Cross-Site Request Forgery (CSRF) token checking occurs.\r\n5. Target device fingerprinting can occur by visiting the <tt>/currentsetting.htm</tt> page on an affected device.\r\n\r\nExploit code that targets 79 different Netgear devices is [publicly available](https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.06.15-netgear).\r\n\r\n### Impact\r\nBy convincing a user to visit a malicious or compromised website, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable device with root privileges.\r\n\r\n### Solution\r\n#### Apply an update\r\nNetgear has [provided updates for several vulnerable devices](https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders).\r\nNote that Netgear does not indicate when devices have reached an end of life (EOL) state. This may make it difficult to determine if a vulnerable device may receive an update in the future.\r\n\r\nThe CERT/CC has made a [spreadsheet](https://docs.google.com/spreadsheets/d/1Tzq97rRisoZwKNQ1pUYE6phwl4LL7KnZxc828n-hXW0/) to more clearly indicate which devices have updates, and which devices may either be receiving an update in the future, or may possibly be unsupported.\r\n\r\nAs outlined in the blog post [It's Time to Retire Your Unsupported Things](https://insights.sei.cmu.edu/cert/2019/10/its-time-to-retire-your-unsupported-things.html), you should factor the vendor's support life span into purchasing decisions. Vendors that indicate how long products will be supported should be preferred over those that do not clearly indicate how long a device will be supported. Similarly, vendors that clearly indicate when a product has reached EOL state should be preferred over vendors that do not.\r\n\r\n### Acknowledgements\r\nThis vulnerability was publicly disclosed by ZDI, who in turn credit d4rkn3ss from VNPT ISC. Additional analysis was provided by GRIMM.\r\n\r\n This document was written by Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/576779"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-20-712/","summary":"https://www.zerodayinitiative.com/advisories/ZDI-20-712/"},{"url":"https://blog.grimm-co.com/2020/06/soho-device-exploitation.html","summary":"https://blog.grimm-co.com/2020/06/soho-device-exploitation.html"},{"url":"https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.06.15-netgear","summary":"https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.06.15-netgear"},{"url":"https://docs.google.com/spreadsheets/d/1Tzq97rRisoZwKNQ1pUYE6phwl4LL7KnZxc828n-hXW0/","summary":"https://docs.google.com/spreadsheets/d/1Tzq97rRisoZwKNQ1pUYE6phwl4LL7KnZxc828n-hXW0/"},{"url":"https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders","summary":"Reference(s) from vendor \"NETGEAR\""}],"title":"Netgear httpd upgrade_check.cgi stack buffer overflow","tracking":{"current_release_date":"2022-02-28T15:50:27+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#576779","initial_release_date":"2020-06-26 19:20:09.050887+00:00","revision_history":[{"date":"2022-02-28T15:50:27+00:00","number":"1.20220228155027.2","summary":"Released on 2022-02-28T15:50:27+00:00"}],"status":"final","version":"1.20220228155027.2"}},"vulnerabilities":[{"title":"Stack buffer overflow in httpd in handling file uploads.","notes":[{"category":"summary","text":"Stack buffer overflow in httpd in handling file uploads."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#576779"}],"product_status":{"known_affected":["CSAFPID-fc2568d4-3a7d-11f1-a172-0afffb3ee71d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"NETGEAR","product":{"name":"NETGEAR Products","product_id":"CSAFPID-fc2568d4-3a7d-11f1-a172-0afffb3ee71d"}}]}}