A Cross-site request forgery vulnerability was identified on NETGEAR JNR1010 devices before 1.0.0.32 allow cgibin/webprocCSRFviathe: InternetGatewayDevice. X_TWSZCOM_URL_Filter.BlackList.1.URL parameter. This vulnerability is due to insufficient CSRF protections for the web UI on an affected device.
Securin Zero-Days
CVE-2016-11015 – Cross-Site Request Forgery in Netgear Router
Severity:High
Vendor
NetGear
Affected Product
JNR1010_firmware
CVE
CVE-2016-11015
Securin ID
2016-CSW-01-1016
Status
Fixed
Date
October 28, 2015
Description
Proof of Concept (POC):
We created a forged request by changing the value of any variable. In InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1 variable in the URL http://router-ip/cgi-bin/webproc was sent to the victim by forcing him/her to click on the malicious link generated by an attacker. With different sessions, it allows the attacker to change the settings of the victim’s router.
Figure 01: Blocked site keywords before the CSRF request was sent to the victim.
Figure 02: CSRF Request is created by changing the Blocklist URL variable.
Figure 03: CSRF request is successfully submitted in the victim’s browser.
Note: Similarly, we can manipulate any request and can force the victim to access the link generated by the attacker to make changes to the router settings without the victim’s knowledge.
Impact
An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.
Remediations
Download the latest updated firmware and update it as per vendor advisory.
Timeline
Oct 28, 2015: Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24
Oct 28, 2015: Reported to vendor.
Nov 03, 2015: Netgear’s technical team address the issue after follow-up
Dec 13, 2015: Vulnerability got fixed
Dec 30, 2015: Updated Netgear Router JNR1010 version 1.0.0.32 was released