Source: vulnreport@tenable.com
Netgear Nighthawk R6700 version 1.0.4.120 does not have sufficient protections for the UART console. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection and execute commands as the root user without authentication.
Netgear Nighthawk R6700 routers are vulnerable to a critical security flaw allowing unauthenticated root access via the UART console. An attacker with physical access can bypass all security measures and gain complete control of the device, potentially leading to data theft, network compromise, and device manipulation. This vulnerability poses a significant risk to home and small business networks.
Step 1: Physical Access: The attacker gains physical access to the Netgear Nighthawk R6700 router.
Step 2: Hardware Identification: The attacker identifies the UART port on the router's circuit board. This typically involves opening the router's casing and visually inspecting the board.
Step 3: Serial Connection: The attacker connects a serial-to-USB adapter or a similar device to the UART port.
Step 4: Terminal Emulation: The attacker uses a terminal emulator (e.g., PuTTY, minicom) on their computer to establish a serial connection to the router.
Step 5: Command Execution: The attacker interacts with the router's command-line interface (CLI) directly through the serial connection. They can execute any command as the root user without any authentication.
Step 6: System Compromise: The attacker leverages root access to modify the router's configuration, install malware, steal sensitive data, or pivot to other devices on the network.
The vulnerability stems from a lack of authentication and insufficient security measures on the UART (Universal Asynchronous Receiver/Transmitter) console of the Netgear Nighthawk R6700. The UART console provides a direct serial connection to the device's internal components, including the operating system. The firmware fails to implement any authentication or access control mechanisms on this interface. This allows an attacker to connect to the UART port and directly interact with the underlying Linux system with root privileges. The root cause is a design flaw where the UART console is left open and unprotected, bypassing all other security layers.
While no specific APT groups are explicitly linked to this vulnerability, the ease of exploitation makes it attractive to a wide range of threat actors. This vulnerability could be used by financially motivated actors, state-sponsored actors, or even script kiddies. This vulnerability is not listed on the CISA KEV at the time of this report, but the ease of exploitation and the impact of the vulnerability make it a prime candidate for inclusion.
Unusual network traffic originating from the router, especially to external IP addresses that are not part of the normal network configuration.
Changes in the router's configuration, such as modified DNS settings, firewall rules, or user accounts.
Presence of unknown processes running on the router, identified through the router's web interface or by examining the filesystem.
Forensic analysis of the router's logs for suspicious activity, such as unauthorized command execution or attempts to access sensitive files.
Physical inspection of the router for signs of tampering, such as opened casing or modifications to the hardware.
Upgrade Firmware: Update the router's firmware to the latest version provided by Netgear. This is the primary and most effective remediation step. Ensure the firmware version addresses this specific vulnerability.
Restrict Physical Access: Implement physical security measures to prevent unauthorized access to the router. This includes securing the router in a locked location and monitoring physical access to the network infrastructure.
Disable UART (if possible): If the router's firmware allows it, disable the UART console entirely. This prevents attackers from using the serial connection.
Monitor Network Traffic: Implement network monitoring tools to detect suspicious activity originating from the router.
Regular Security Audits: Conduct regular security audits of the network and router configuration to identify and address potential vulnerabilities.
Change Default Credentials: Change the default administrative credentials for the router's web interface to strong, unique passwords.