Many home networks rely on the home router as the primary and only defense against internet-based threats. However, a recent high-severity buffer-overflow vulnerability in several popular Netgear home routers demonstrates why this should change to a defense-in-depth approach.
Here’s why this particular vulnerability matters and how you can use defense-in-depth principles to help safeguard your own home network.
What is a buffer overflow vulnerability and how does it work?
A buffer is a sequential section of memory allocated to contain information such as strings, integers, and more. When the buffer is working effectively, the information stored in the buffer is the same size or less than the allocated buffer size.
A buffer overflow occurs when the information to be stored in the buffer is greater than the size of the buffer. This extra information from the buffer must be stored somewhere, and so it ‘overflows’ into adjacent memory space, corrupting the data held in that memory space. Depending on how it occurs, this may mean it intrudes into the execution flow of other programs.
Typically the vulnerability is caused by a coding error, with certain programming languages being more susceptible than others. When additional software prevention mechanisms are not in place, the resulting memory corruption can start to execute previously unauthorized code.
When this effect can be predicted and repeated, it can become possible to pass unauthorized code to the adjacent memory space. Depending on the other protections in place in the software, this may result in:
- Gaining access to remote devices
- Elevation of privileges
- Arbitrary remote code execution
What was the Netgear vulnerability?
The Netgear vulnerability listed as CVE-2022-48196 was published on the National Institute of Standards and Technology (NIST) website on 12/30/2022. The advisory, and associated Netgear release (PSV-2019-0208), list the vulnerability as a ‘pre-authentication buffer overflow security vulnerability’, with a Common Vulnerability Scoring System (CVSS) score of 9.8, Critical.
While no proof-of-concept was provided, and none has been published at the time of writing, the listing of the vulnerability reveals some important information. As a pre-authentication vulnerability, a malicious actor would not require a device login. Further, no user interaction would be required in order to exploit the vulnerability. The high score (CVSS ranges from 0 – lowest to 10 – highest) of the vulnerability indicates that the impact of exploitation is high.
As a side note – a list of the devices impacted, and access to the firmware update to remove the vulnerability can be found here. It is highly recommended that you patch this vulnerability immediately.
Why the Netgear vulnerability matters
The home router is the primary line of defense against internet-based attacks for many homes. It often serves as the primary firewall, the key internal network connector, and more recently, the Internet of Things (IoT) device linker. Assuming that the home router is a ‘safe’ device, many home users have unencrypted network traffic behind the router, reduced security controls on internal endpoints, and IoT devices operating on the same Local Area Network (LAN) as the rest of the network.
CVE-2022-48196 demonstrates that even reputable companies and devices can contain critical vulnerabilities with the potential to compromise a home network. Further, as a pre-authentication vulnerability, it demonstrates that even with effective patch management and user access control, reliance on a single device to secure a home network is unlikely to be effective.
What is defense-in-depth?
Defense-in-depth is a security strategy that builds multiple layers of protection and defense into a network. This provides multiple points for intrusion detection and cybersecurity control application while eliminating the reliance on any single point of failure. The aim is to make it significantly more difficult for a malicious actor to breach a network, and if a breach occurs, to limit its impact.
As a security strategy, this approach is used broadly in industry and has been demonstrated to be effective.
Why defense-in-depth matters at home
The Netgear vulnerability demonstrates that applying a defense-in-depth approach to your home network is critical. The approach eliminates your reliance on a single device for security (in this case your Netgear router), makes compromising your home network more challenging, and limits the impact of any breaches which occur.
With the trend towards increasingly complex home networks and work-from-home arrangements, implementing a defense-in-depth approach has never been more important. Doing so helps ensure the safety and security of sensitive information, and can often be critical for work-from-home arrangements.
How to start implementing a defense-in-depth approach to your home network
There are a few simple steps you can take to start implementing your own defense-in-depth home network.
The steps below are by no means a comprehensive list of ‘things to do’, nor are they guaranteed to prevent you from being compromised. However, they will make your network more secure, are relatively straightforward to implement, and are generally low-cost to implement.
Here are the five steps you can take to start implementing a defense-in-depth approach to your home network:
- Encrypt your computer (endpoint) data. Most modern operating systems provide the ability to encrypt the data on your computer (known as data-at-rest) in a way that is transparent to you. Doing so will mean that even if a malicious actor gets access to your computer, they won’t get much from it.
- Use an on-device Virtual Private Network (VPN). VPNs encrypt your traffic network traffic, providing an extra layer of protection. When you do this on-device from your endpoint, you ensure that the traffic passing through your home router is encrypted in transit. As a result, even if your home router is compromised, your network traffic will reveal significantly less information.
- Use modern antivirus software (AV). Modern antivirus software has improved its efficacy. It provides protection against well-known threats, making your network more difficult to compromise. Some modern AVs also bundle on-device VPN, which may simplify your deployment.
- Separate your network into Virtual Local Area Networks (VLANs). Where possible, separate your IoT devices from the rest of your network, and if it makes sense, your ‘work’ devices from home devices. To make your VLAN separation even more effective, use a different device (and a different model) from your internet-facing router to perform the separation.
- Stay patched. Come up with a system to keep all your devices and applications patched. Work to go beyond your operating system and include all your devices, IoT devices, and the applications they may have running. Some modern AV solutions will also bundle this in their packages.
With these five steps, you’ll already have improved your home network significantly.