CVE-2021-40847

Name of the Vulnerable Software and Affected Versions NETGEAR R6400v2 version 1.0.4.106 NETGEAR R6700 version 1.0.2.16 NETGEAR R6700v3 version 1.0.4.106 NETGEAR R6900 version 1.0.2.16 NETGEAR R6900P version 1.3.2.134 NETGEAR R7000 version 1.0.11.123 NETGEAR R7000P version 1.3.2.134 NETGEAR R7850 version 1.0.5.68 NETGEAR R7900 version 1.0.4.38 NETGEAR R8000 version 1.0.4.68 NETGEAR RS400 version 1.5.0.68

Description The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a Man-in-the-Middle (MitM) attack. The Circle update daemon, circled, is enabled by default and connects to Circle and NETGEAR to obtain version information and updates. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP, allowing an attacker to respond to circled update requests with a crafted, compressed database file. This enables the attacker to overwrite executable files with attacker-controlled code.

Recommendations To resolve the issue for each affected version, update the firmware to the latest version available on the NETGEAR technical support website. As a temporary workaround, consider disabling the circled daemon until a patch is available. Restrict access to the vulnerable circled daemon to minimize the risk of exploitation. Avoid using the circled daemon in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.