What makes this vulnerability particularly interesting, is that even though it exists in a third-party component included in the firmware, it is just as damaging as a vulnerability that exists in the Netgear core’s firmware, because of the fact that Circle runs with root permissions.
“The Circle update daemon that contains the vulnerability is enabled to run by default, even if you haven’t configured your router to use the parental control features. While it doesn’t fix the underlying issue, simply disabling the vulnerable code when Circle is not in use would have prevented exploitation on most devices,” notes Adam Nichols, researcher with cybersecurity experts GRIMM.
Nichols suggests the vulnerability serves as a cautionary tale, and helps demonstrate the importance of attack surface reduction.
Don’t talk to strangers
Under normal circumstances, a simple mitigation for the vulnerability (tracked as CVE-2021-40847) in Circle would have been to disable the service. However, this wouldn’t work here, since the vulnerability actually exists in Circle’s update daemon, circled, which too is enabled by default.
In the post, Nichols explains that the update process relies on fetching unsigned updates over the unencrypted HTTP protocol. He reasons that an attacker can hijack the update process via a Man-in-the-Middle (MitM) attack, which would enable them to run code as root on the device.
While Netgear has issued patches to fix the issue, GRIMM recommends the use of VPN to mitigate the risk posed by compromisable network routers.