Stephen Finn - stock.adobe.com
Trend Micro's Zero Day Initiative disclosed 10 vulnerabilities found in Netgear's R6700 router, several of which have gone unfixed since November 2019.
On Monday, ZDI published an advisory with 10 different zero-day vulnerabilities in the router line, which is commonly used in homes and home offices. "Most would allow remote code execution on the device," ZDI wrote on Twitter.
Prior to publishing the advisory, ZDI gave Netgear extensions to their disclosure deadline, pushing it well past the usual 90 days. However, after seven months patches are still not available, said Abdul-Aziz Hariri, security researcher at ZDI.
"We confirmed Netgear received the bug reports and did acknowledge that these were vulnerabilities that needed to be addressed. These bugs impact both the WAN and LAN interfaces on the device," Hariri said in an email to SearchSecurity.
According to Hariri, Netgear has a process in place for reporting security vulnerabilities. ZDI contacted them through this process and communicated with their response team via Netgear's official email address for vulnerability disclosures.
Five of the 10 vulnerabilities were reported to Netgear in November during Pwn2Own Tokyo, which is a hacking competition held at the CanSecWest infosec conference; the competition, which is sponsored by Trend Micro and ZDI, demonstrates zero days after they are reported to the affected vendors.
"These cases were well past our disclosure deadline, especially since most were demonstrated at Pwn2Own Tokyo last November. This means full exploit code was written to demonstrate the bugs," Hariri said.
The five vulnerabilities were discovered and demonstrated by security researchers Pedro Ribeiro and Radek Domanski of "Team Flashback," while the other five were discovered by an anonymous researcher with Vietnam Posts and Telecommunications Group and reported to Netgear in January and February.
The number of Netgear vulnerabilities added to the complexities of the disclosure, Hariri said. However, this isn't the first time ZDI has published 10 or more zero days for the same vendor.
"Corel, Wecon and Hewlett Packard Enterprise [HPE] have had large disclosures in the past," Hariri said. "In fact, the HPE had more than 50 bugs released on a zero day on Feb. 2 (ZDI-20-146 through ZDI-20-197). It's an unusual number, but not unprecedented."
Given the nature of Netgear's R6700 vulnerabilities, ZDI advised restricting interaction with the vulnerable devices to only trusted machines as a mitigation strategy.
"Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting," ZDI wrote in the report.
This is not the first instance of Netgear has been criticized for its response to reported vulnerabilities.
In early 2017, Trustwave security researchers reported two critical vulnerabilities in 31 models of Netgear routers. According to the researchers, they first contacted Netgear about the flaws in April 2016, but after nine months the vendor had released firmware patches for 18 of the affected products.
Another example took place in January when security researchers disclosed that exposed keys for Netgear TLS certificates were lurking in wireless router firmware, and it wasn't the first time the issue had been reported to the vendor.
SearchSecurity reached out to Netgear regarding the 10 vulnerabilities in the R6700 router but did not receive a reply.