Quarkslab’s Writeup on Common Router Bug TCP 32764, Cisco Just Released Patch For Their Devices


Not long ago, it was discovered that Cisco SMB devices contain a root level security hole. The bug was classified as a serious threat, scoring a 10 on the CVSS. Eloi Vanderbéken published a range of devices with the same issue on GitHub including some POC code to exploit this hole. A method for patching Netgear devices was pubished by at the ShinyNightMares blog.

No authentication was required for this backdoor allowing for the attacker to execute remote commands, namely:

  • remote root shell
  • NVRAM configuration dump: Wifi and/or PPPoE credentials can be extracted for instance
  • file copy

The level of scans being conducted in the wild for TCP 32764 has increased in recent times – probably some bots preying on this low hanging fruit. Quarkslab fix for the problem follows the same path that would be used by potential attackers: get a remote root shell, dump NVRAM configs and patch the root image.

A complete writeup can be found here.

At the same time, Cisco has released a patch for their SMB devices as can be seen in this recent tweet: