Netgear critical vulns come amid global netsec concern • The Register

Netgear is advising customers to upgrade their firmware after it patched two critical vulnerabilities affecting multiple routers.

The networking biz didn’t reveal too much in the way of details for either vulnerability, including whether they had been exploited or not, but warned that if customers didn’t follow the recommended steps their products would remain vulnerable.

Netgear didn’t release CVE identifiers for the vulnerabilities, opting instead for its own product security vulnerability (PSV) IDs: 2024-0117 and 2023-0039.

The authentication bypass bug (2024-0117) scored 9.6 using the CVSSv3 framework while the unauthenticated remote code execution (RCE) flaw scored 9.8.

The at-risk wireless AP models include two that have reached end of life (EOL): WAX206 and WAX220, as well as the WAX214v2 which is still supported with updates.

We wouldn’t want to speculate on what circumstances customers could find themselves in if either vulnerability were exploited without Netgear’s input, but the severity of the flaws and the fact updates are being released even for EOL products are telling.

All of the routers vulnerable to RCE are part of Netgear’s Nighthawk gaming range and are still supported by product updates: XR100, XR1000v2, and XR500.

National security agencies sound off

Netgear’s advisories were published over the weekend, but this week a whole host of national security and cybersecurity agencies in the US, UK, Canada, Australia, Czechia, Japan, and more, issued or co-signed guidance on securing edge devices.

Edge devices, if exploited, can be used by attackers to gain a foothold in victim networks. Gizmos like wireless APs and routers are included among these, as are VPN gateways, firewalls, NAS appliances, internet-connected smart home cameras, and the like.

None of the agencies specifically cites any recent cases that prompted the joint call to arms, but an educated guess might be that it was in some way influenced by the suboptimal start to the year for both Ivanti and Fortinet – for the second year running.

Both vendors have had their various battles with zero-day vulnerabilities already this year and their patches aren’t being applied as quickly as the vendors would like to see.

But it’s not just these two vendors, and now Netgear, whose holes are exposed to attackers. As Ollie Whitehouse, CTO at the UK’s NCSC said this week, it’s a much broader issue.

He said: “In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat.

“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyberattacks but also provide investigative capabilities require post intrusion.”

“Alongside our international partners, we are focused on nurturing a tech culture that bakes security and accountability into every device, while enabling manufacturers and their customers to detect and investigate sophisticated intrusions.”

The guidance released by the various agencies is all harmonious and a collaborative effort. Whether it’s the NSA’s, FBI’s [PDF], UK NCSC’s etc, you only really need to read one to get the full picture.

All of the documents are extensive, too long to summarize, but are mainly segmented around two key areas: Enhanced logging and forensic data gathering. 

Applying all the mitigation strategies, and there are many, is seen by national leaders as the minimum required action for network defenders to be making. 

Eric Chudow, vulnerability analysis expert at the NSA, said: “Edge devices act as boundaries between organizations’ internal enterprise networks and the Internet; if left unsecured, even unskilled malicious cyber actors have an easier time finding and exploiting vulnerabilities in their software or configurations.

“As organizations scale their enterprises, even though securing all devices is important, prioritizing edge device security is vital to defend the many endpoints, critical services, and sensitive data they protect.” ®