Mikel  Okuneva

Mikel Okuneva

1597618800

Netgear Won't Patch 45 Router Models Vulnerable to Serious Flaw

Netgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won’t receive updates are outdated or have reached EOL (End of Life).

The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers – sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models – but Netgear says that 45 of those router models are outside of its “security support period.”

“Netgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,” Netgear said in a press statement. “The remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.”

A full list of the router models that won’t be patched – as well as those that have fixes being rolled out – is available on Netgear’s website.

“When we look at support windows, some of our products last five or six years, while others last only a few years,” David Henry, senior vice president of Connected Home products at Netgear, told Threatpost. “When we launch a product, as it gets old it goes into End of Life (EOL) and we stop building it and wind down [sales into the channel].”

For instance, one such Modem Router that won’t receive an update, the AC1450 series, is as old as 2009. Other router models, while newer, have reached EOL: The R6200 and R6200v2 wireless routers reached EOL in 2013 and 2016, respectively; while the Nighthawk R7300DST wireless router reached EOL in the first half of 2017, said Henry.

Regardless, Henry stressed that customers using both newer and older router models stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords (which he said is enforced by Netgear).

“I think it is really important that customers are paying attention to the updates we send out quarterly on our products,” said Henry.

The Flaw

According to the Zero Day Initiative (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” according to ZDI. “Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

#vulnerabilities #web security #flaw #netgear #r6700 #r7800 #remote code execution #router #router flaw #router model #vulnerability

What is GEEK

Buddha Community

Netgear Won't Patch 45 Router Models Vulnerable to Serious Flaw
Mikel  Okuneva

Mikel Okuneva

1597618800

Netgear Won't Patch 45 Router Models Vulnerable to Serious Flaw

Netgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. However, the company says that routers that won’t receive updates are outdated or have reached EOL (End of Life).

The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers – sans authentication. The high-severity flaw affects 79 Netgear Wi-Fi routers and home gateway models – but Netgear says that 45 of those router models are outside of its “security support period.”

“Netgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm,” Netgear said in a press statement. “The remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer.”

A full list of the router models that won’t be patched – as well as those that have fixes being rolled out – is available on Netgear’s website.

“When we look at support windows, some of our products last five or six years, while others last only a few years,” David Henry, senior vice president of Connected Home products at Netgear, told Threatpost. “When we launch a product, as it gets old it goes into End of Life (EOL) and we stop building it and wind down [sales into the channel].”

For instance, one such Modem Router that won’t receive an update, the AC1450 series, is as old as 2009. Other router models, while newer, have reached EOL: The R6200 and R6200v2 wireless routers reached EOL in 2013 and 2016, respectively; while the Nighthawk R7300DST wireless router reached EOL in the first half of 2017, said Henry.

Regardless, Henry stressed that customers using both newer and older router models stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords (which he said is enforced by Netgear).

“I think it is really important that customers are paying attention to the updates we send out quarterly on our products,” said Henry.

The Flaw

According to the Zero Day Initiative (ZDI), which first disclosed the issue, the flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this flaw to execute code in the context of root, according to ZDI.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” according to ZDI. “Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

#vulnerabilities #web security #flaw #netgear #r6700 #r7800 #remote code execution #router #router flaw #router model #vulnerability

Netgear Zero-Day Allows Full Takeover of Dozens of Router Models

An unpatched vulnerability in the web server of device firmware gives attackers root privileges, researchers said.

Researchers have discovered an unpatched, zero-day vulnerability in firmware for Netgear routers that put 79 device models at risk for full takeover, they said.

The flaw, a memory-safety issue present in the firmware’s httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: One on the Zero Day Initiative (ZDI) by a researcher called “d4rkn3ss” from the Vietnam Posts and Telecommunications Group; and a separate blog post by Adam Nichols of cybersecurity firm Grimm.

“The specific flaw exists within the httpd service, which listens on TCP Port 80 by default,” according to the ZDI report, which covers the bug’s presence in the R6700 series Netgear routers. “The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.”

#vulnerabilities #web security #device takeover #grimm #internet of things #netgear #remote code execution #routers #small office home office #unpatched flaw #zero day initiative #zero-day vulnerability

Hollie  Ratke

Hollie Ratke

1597554000

Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules

Intel is warning of a rare critical-severity vulnerability affecting several of its motherboards, server systems and compute modules. The flaw could allow an unauthenticated, remote attacker to achieve escalated privileges.

The recently patched flaw (CVE-2020-8708) ranks 9.6 out of 10 on the CVSS scale, making it critical. Dmytro Oleksiuk, who discovered the flaw, told Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-management controller is a service processor that monitors the physical state of a computer, network server or other hardware devices via specialized sensors.

Click to register!

Emulex Pilot 3 is used by various motherboards, which aggregate all the server components into one system. Also impacted are various server operating systems, and some Intel compute modules, which are electronic circuits, packaged onto a circuit board, that provide various functions.

The critical flaw stems from improper-authentication mechanisms in these Intel products before version 1.59.

In bypassing authentication, an attacker would be able to access to the KVM console of the server. The KVM console can access the system consoles of network devices to monitor and control their functionality. The KVM console is like a remote desktop implemented in the baseboard management controller – it provides an access point to the display, keyboard and mouse of the remote server, Oleksiuk told Threatpost.

The flaw is dangerous as it’s remotely exploitable, and attackers don’t need to be authenticated to exploit it – though they need to be located in the same network segment as the vulnerable server, Oleksiuk told Threatpost.

“The exploit is quite simple and very reliable because it’s a design flaw,” Oleksiuk told Threatpost.

Beyond this critical flaw, Intel also fixed bugs tied to 22 critical-, high-, medium- and low-severity CVEs affecting its server board, systems and compute modules. Other high-severity flaws include a heap-based overflow (CVE-2020-8730) that’s exploitable as an authenticated user; incorrect execution-assigned permissions in the file system (CVE-2020-8731); and a buffer overflow in daemon (CVE-2020-8707) — all three of which enable escalated privileges.

intel flaw

Click to enlarge.

Oleksiuk was credited with reporting CVE-2020-8708, as well as CVE-2020-8706, CVE-2020-8707. All other CVEs were found internally by Intel.

Affected server systems include: The R1000WT and R2000WT families, R1000SP, LSVRP and LR1304SP families and R1000WF and R2000WF families.

Impacted motherboards include: The S2600WT family, S2600CW family, S2600KP family, S2600TP family, S1200SP family, S2600WF family, S2600ST family and S2600BP family.

Finally, impacted compute modules include: The HNS2600KP family, HNS2600TP family and HNS2600BP family. More information regarding patches is available in Intel’s security advisory.

Intel also issued an array of other security advisories addressing high-severity flaws across its product lines, including ones that affect Intel Graphics Drivers, Intel’s RAID web console 3 for Windows, Intel Server Board M10JNP2SB and Intel NUCs.

#vulnerabilities #compute module #critical flaw #cve-2020-8708 #intel #intel critical flaw #intel flaw #intel motherboard #intel server board #patch #privilege escalation #security vulnerability #server system

Ron  Cartwright

Ron Cartwright

1603018800

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable.

There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.

A full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month’s regularly scheduled updates.

“As usual, whenever possible, it’s better to prioritize updates against the Windows operating system,” Richard Tsang, senior software engineer at Rapid7, told Threatpost. “Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.”

11 Critical Bugs

One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.

Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely – and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.

“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test and deploy this patch as soon as possible.”

Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.

“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” he said. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”

Threatpost has reached out for more technical details on the wormable aspect of the bug.

#cloud security #vulnerabilities #web security #critical #cve-2020-16898 #microsoft #october 2020 #patch tuesday #patches #publicly disclosed #remote code execution #router advertisements #security bug #security vulnerabilities #tcp/ip #unpatched bugs #wormable

Brain  Crist

Brain Crist

1597892400

Large Orgs Plagued with Bugs, Face Giant Patch Backlogs

Large companies find an average of 779,935 individual security bugs when running routine vulnerability scans; and over the course of six months, an average of 28 percent of those vulnerabilities will remain unmitigated. This leaves many of these organizations in a sitting-duck position for cybercriminals, rearchers said.

That’s according a study from the Ponemon Institute, The State of Vulnerability Management, which surveyed 1,800+ IT professionals at companies with more than 1,000 employees. The survey found that the average backlog of bugs for these companies totals a whopping 57,555 identified vulnerabilities.

Clearly, prioritization becomes critical to vulnerability management in this scenario; however, the survey also found that organizations have difficulty in achieving that. A full 57 percent of respondents said their organizations don’t know which vulnerabilities pose the highest risk to their businesses.

And only a quarter (25 percent) said they’re able to prioritize patching based on which assets are the most important to the business.

About 37 percent of respondents said their primary method for prioritization is the identification of which vulnerabilities are weaponized. This isn’t a bad strategy on the surface given that criminal external attacks were the most common cited root cause of data breaches in the survey (34 percent). External attacks were followed by human error (24 percent), and system glitches and malicious insider threats accounted for the rest.

“Even if they prioritize vulnerabilities accurately, the process of remediation can become a headache as teams try to process the information — who owns the vulnerable asset, is there a patch, what if the patch doesn’t work, when is an appropriate time for patching, etc.,” explained researchers from IBM X-Force, in the report, released Monday. They added, “Every enterprise has an immense amount of data, much of which is siloed, giving each team a different perspective of risk. The fragmented viewpoints prevent seeing the full risk picture, which can also lead to important vulnerabilities being deprioritized or overlooked.”

Only 21 percent of respondents said their organizations are “highly effective” in patching vulnerabilities in a timely manner. According to the research, it can take almost a month (28 days) to patch once a critical or high-risk vulnerability is detected on-premises, and 19 days if it is detected in the cloud.

All of this leaves a broad swath of businesses at risk for compromise from known bugs. And in fact, out of the 53 percent of respondents who said their organizations have had a data breach in the past two years, 42 percent of them said they occurred because a patch wasn’t applied for a known vulnerability.

As to the obstacles to getting on top of vulnerability management, Ponemon found that the use of manual processes for patching remains a bugbear. Half of respondents said their organizations are at a disadvantage in responding to vulnerabilities because they use manual processes; and more than half (53 percent) said that IT staff spends more time navigating manual processes than responding to vulnerabilities.

Also, the survey uncovered that most organizations do not have a single view of the full vulnerability management lifecycle, including exception handling. Only 27 percent of respondents say they have visibility into the vulnerability management lifecycle, making it difficult to ascertain how well their organizations are prioritizing, remediating and patching vulnerabilities.

Then there’s the issue of staffing and the ongoing cybersecurity skills gap: Only about half (49 percent) of respondents said their organizations have enough personnel to patch in a timely manner, while just 41 percent said the IT security team has the necessary patching skills and training to fix vulnerabilities.

“Instead of taking a programmatic approach to vulnerability management, many organizations take an anecdotal approach,” according to X-Force. “They divvy up and plow through an Excel spreadsheet, which may contain thousands to millions of vulnerabilities. The spreadsheet method may work for one team in the organization, but when it’s rolled out across an entire enterprise, chaos can ensue.”

#cloud security #most recent threatlists #vulnerabilities #backlog #cloud patches #data breaches #ibm x-force #patch prioritization #ponemon institute #security bugs #survey #vulnerabilities #vulnerability management