Trustwave has issued an advisory on security vulnerabilities in Netgear routers which have been patched in firmware updates.
The bugs affect 17 router models, including the Netgear R8500 Nighthawk X8, running firmware 18.104.22.168 or earlier.
The security flaws were:
- Routers let you read any file from the device, provided the path to the file is known.
- Authentication bypass – trivial and affects all 17 routers.
- Command injection on some routers after authentication.
- Chained attack command injection – anyone can run commands as root by exploiting several vulnerabilities in sequence.
- Run commands as root when WPS is activated – 6 products affected.
Trustwave commended Netgear for its responsive and communicative PSIRT team.
Patches for the issues above are available from Netgear.