Attackers actively targeting vulnerable Netgear DGN devices

By

SonicWall Capture Labs threat research team observed attacks exploiting an old vulnerability in Netgear DGN devices . Netgear produces networking hardware for consumers, businesses, and service providers. Netgear DGN are ADSL+ Modem Router that provide customers with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line.

Netgear DGN1000 and DGN2200 devices are prone to a remote authentication-bypass vulnerability. Remote attackers can exploit this issue to bypass the authentication mechanism and execute commands within the context of affected devices with elevated privileges.

NETGEAR DGN Devices Remote Command Execution Vulnerability

Below are some examples of exploits in the wild

The vulnerable device doesn’t check authentication for URLs containing the “currentsetting.htm” substring, so the following URL can be accessed without authentication.

http://<velnerable-device-ip>/setup.cgi?currentsetting.htm=1

The “setup.cgi” page can then be abused to execute arbitrary commands.

Lets take the following example

The URL leverages the “syscmd” function of the “setup.cgi” script to execute arbitrary commands. The attacker connects to malicious domain to downloads malicious file and saves it in the tmp directory to execute.

Following versions are vulnerable:
NetGear DGN1000 running firmware prior to version 1.1.00.48
Netgear DGN2200 v1

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signature

IPS 13034: NETGEAR DGN Devices Remote Command Execution

Threat Graph
Signature hits for 13034 for past week.

 

IoCs
112.30.110.51
113.118.133.39
115.50.245.72
117.242.208.60
119.123.239.63

Quick check on shodan shows vulnerable devices

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.