Not long ago, it was discovered that Cisco SMB devices contain a root level security hole. The bug was classified as a serious threat, scoring a 10 on the CVSS. Eloi Vanderbéken published a range of devices with the same issue on GitHub including some POC code to exploit this hole. A method for patching Netgear devices was pubished by at the ShinyNightMares blog.
No authentication was required for this backdoor allowing for the attacker to execute remote commands, namely:
- remote root shell
- NVRAM configuration dump: Wifi and/or PPPoE credentials can be extracted for instance
- file copy
The level of scans being conducted in the wild for TCP 32764 has increased in recent times – probably some bots preying on this low hanging fruit. Quarkslab fix for the problem follows the same path that would be used by potential attackers: get a remote root shell, dump NVRAM configs and patch the root image.
A complete writeup can be found here.
At the same time, Cisco has released a patch for their SMB devices as can be seen in this recent tweet:
@techweez Just Released! Fix for the Unauthorized Access Vulnerability in WAP4410N – http://t.co/v5VlRdYoIh #cisco #fix
— Cisco SB Support (@CiscoSBsupport) January 23, 2014