XR300 Vulnerable to attack and hijack using a telnet backdoor

[Guest Killhippie]

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Netgear routers. Authentication is not required to exploit this vulnerability. At this time there is no patch for the XR300. So far 79 models are vulnerable. Turn off remote management if you have it on. Probably best to avoid the DMZ at this time too. Exploit code, developed by infosec outfit Grimm, is available on GitHub for all the models said to be vulnerable: it opens telnet daemon on port 8888, if successful.

 There's technical details here. The bugs lie in the web-based control panel of the Linux-powered equipment. It can be hijacked by sending it specially crafted data, bypassing the password protection, via the local network, or the internet if it is exposed to the world, or by tricking a victim into opening a webpage that automatically connects to the device on the LAN. Once exploited, the device can be commanded to open a backdoor, change its DNS and DHCP settings to redirect users to phishing websites, and so on. Many of these routers are EOL (end of life) and some date back all the way to 2007, but some like the R6700v3 have been patched already, but not its brother XR300! Keep an eye out for a hotfix.

https://www.theregister.com/2020/06/19/netgear_bug_disclosure/

https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders

[santa78]

Wow, thanks for the information.

XR500 and XR700 have the same vulnerability or not ?

[Guest Killhippie]

7 minutes ago, santa78 said:

Wow, thanks for the information.

XR500 and XR700 have the same vulnerability or not ?

They are not on the list of vulnerable devices, only the XR300 is. Keep and eye on the Netgear official list to make sure. I would have thought if they were vulnerable  after two days now they would have been up on Netgears official list but but its better to be safe than sorry and check, for now you are safe.

https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders

[Zippy]

I see the R6300 is on the list.. That router there was widely handed out by Spectrum here in the US. Its a freebee Spectrum gave out.. People like free so they rarely ever buy there own.. Specially if it works okay for them yet.. Spectrum being one of the largest ISP in the US makes me wonder how many are still floating around out there..

Good post Killhippie!

Zippy.

[Guest Killhippie]

19 hours ago, Zippy said:

I see the R6300 is on the list.. That router there was widely handed out by Spectrum here in the US. Its a freebee Spectrum gave out.. People like free so they rarely ever buy there own.. Specially if it works okay for them yet.. Spectrum being one of the largest ISP in the US makes me wonder how many are still floating around out there..

Good post Killhippie!

Zippy.

The issue is Zippy if you Google Asus, Zyxel, D-link, etc (who just abandoned a line of routers with critical firmware holes) they all have current issues. I'm thinking about getting a rack put in and some enterprise gear (second hand) and hardening my network, SOHO routers are just not great from any provider. The most basic of home routers probably all leak like sieves.