CVE-2021-40847
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code as root on affected NETGEAR routers via a man-in-the-middle attack. The Circle update daemon downloads unsigned updates over HTTP, enabling attackers to inject malicious payloads. This affects multiple NETGEAR router models with specific firmware versions.
💻 Affected Systems
- NETGEAR R6400v2
- NETGEAR R6700
- NETGEAR R6700v3
- NETGEAR R6900
- NETGEAR R6900P
- NETGEAR R7000
- NETGEAR R7000P
- NETGEAR R7850
- NETGEAR R7900
- NETGEAR R8000
- NETGEAR RS400
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of router, allowing attacker to intercept all network traffic, install persistent malware, pivot to internal network devices, and disable security controls.
Likely Case
Router compromise leading to DNS hijacking, credential theft from network traffic, and installation of backdoors for persistent access.
If Mitigated
Limited impact with proper network segmentation and monitoring, though router functionality could still be disrupted.
🎯 Exploit Status
Exploit requires MitM position but no authentication. Technical details and proof-of-concept are publicly available in research blogs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check NETGEAR security advisory for specific patched versions per model
Vendor Advisory: https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to firmware update section. 3. Check for and apply latest firmware. 4. Reboot router after update. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Disable Circle Update Daemon
linuxStop and disable the circled service to prevent vulnerable update checks
killall circled
chmod -x /usr/sbin/circled
Block Outbound HTTP to Update Servers
linuxPrevent router from contacting Circle/NETGEAR update servers via firewall rules
iptables -A OUTPUT -p tcp --dport 80 -d update.circle.com -j DROP
iptables -A OUTPUT -p tcp --dport 80 -d update.netgear.com -j DROP
🧯 If You Can't Patch
- Segment router management interface to isolated VLAN with strict access controls
- Implement network monitoring for unusual outbound HTTP traffic from router to update domains
🔍 How to Verify
Check if Vulnerable:
Check router firmware version against affected versions list and verify circled process is running: ps aux | grep circledCheck Version:
cat /proc/version or check router web interface firmware versionVerify Fix Applied:
Verify firmware version is updated beyond vulnerable versions and circled process is either updated or disabled📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP traffic to/from router on port 80
- Failed update attempts from circled daemon
- Unexpected process execution following update checks
Network Indicators:
- HTTP traffic to update.circle.com or update.netgear.com from router
- Unusual compressed file downloads to router
- Outbound connections from router on non-standard ports after update checks
SIEM Query:
source="router_logs" AND (dest_ip="update.circle.com" OR dest_ip="update.netgear.com") AND protocol="HTTP"🔗 References
- https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html
- https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
- https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html
- https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204
