NETGEAR has addressed five vulnerabilities in the NETGEAR RAX30 Router model. These vulnerabilities in NETGEAR’s Nighthawk RAX30 allow attackers to monitor users’ internet activity, highjack internet connections, and redirect traffic to malicious websites or inject malware into network traffic when chained together. It’s important to know how to fix these 5 vulnerabilities in the NETGEAR RAX30 Router model at the earliest.
A Short Note About NETGEAR RAX30 Router Model
The NETGEAR RAX30 Router Model is a powerful WiFi 6 router that capable of delivering seamless 4K streaming to smart TVs, gaming consoles, and mobile devices with up to 2.4 Gbps wireless speeds. Equipped with a robust 1.5 GHz triple-core processor and three high-power antennas, this router ensures maximum wireless coverage for an improved WiFi experience. Additionally, NETGEAR Armor provides automatic protection for all connected devices, safeguarding against online threats.
Technical Specifications:
- Processor: Powerful 1.5GHz Triple-Core Processor
- WiFi Technology : WiFi 6 (802.11ax) Dual-Band WiFi (AX2400)
- 2.4GHz: 1024/256-QAM 20/40MHz, up to 574Mbps
- 5GHz: 1024-QAM 20/40/80MHz, up to 1800Mbps
- Backward compatible with 802.11 a/b/g/n/ac WiFi
- WiFi Speed : AX2400 (574 + 1800Mbps)
- WiFi Range: Small to medium homes
- WiFi Band: Dual-Band 5GHz + 2.4GHz
- Beamforming: Boosts speed, reliability, and range of WiFi connections for 2.4 and 5GHz
- Gigabit Ethernet Ports: Five (5) 10/100/1000Mbps Gigabit Ethernet ports (1 WAN & 4 LAN)
- Processor: Powerful triple-core 1.5GHz processor
- USB Ports: One (1) USB 3.0 ports
List Of Vulnerabilities In NETGEAR RAX30 Router
Team82 uncovered five vulnerabilities in NETGEAR RAX30 Router in a hacking competition ‘Pwn2Own Toronto hacking competition‘ held in Toronto in December 2022. Out of the five vulnerabilities three are categorized as high-severity vulnerabilities and two are medium. These flaws, if exploited successfully, could give threat actors unimpeded access to your digital life.
Let’s explore each one of them one after the other.
CVE-2023-27357: The Unauthenticated Information Disclosure Vulnerability
This flaw opens the door for attackers in proximity to the network to expose sensitive data on affected NETGEAR RAX30 routers. The most unsettling part? Authentication isn’t required for exploitation.
The root of the issue lies in the handling of SOAP (Simple Object Access Protocol) requests. The flaw emerges due to the absence of an authentication process before permitting access to functionalities. This loophole could allow an attacker to expose sensitive information, leading to further network compromise.
CVE-2023-27369: The Code Execution Vulnerability
This vulnerability provides network-adjacent attackers an opportunity to execute arbitrary code on affected installations of NETGEAR RAX30. Like the previous flaw, this one doesn’t require authentication for exploitation either.
The specific weakness resides within the ‘soap_serverd’ binary. When processing the request headers, the process fails to validate the length of user-supplied data before copying it to a fixed-length stack-based buffer. An attacker could exploit this flaw to bypass the system’s authentication.
CVE-2023-27368: The Authentication Bypass Vulnerability
This flaw allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers, bypassing authentication without any difficulty.
The flaw lies within the ‘soap_serverd’ binary. Similar to the previous vulnerability, the issue stems from the improper validation of user-supplied data length before copying it to a fixed-length stack-based buffer during the parsing of SOAP message headers. This vulnerability could be exploited by an attacker to bypass system authentication.
CVE-2023-27367: The Remote Code Execution Vulnerability
This vulnerability enables network-adjacent attackers to execute arbitrary code on affected NETGEAR RAX30 routers. Though exploitation of this vulnerability technically requires authentication, the existing authentication mechanism can be easily bypassed.
This specific flaw exists within the ‘libcms_cli’ module. The issue arises from the lack of proper validation of user-supplied commands before using them to execute a system call. By exploiting this flaw, an attacker could execute code in the context of root.
CVE-2023-27370: The Sensitive Information Disclosure Vulnerability
This vulnerability presents network-adjacent attackers with the opportunity to disclose sensitive information on affected NETGEAR RAX30 routers. While exploitation requires authentication, the existing authentication mechanism can be bypassed.
The flaw originates from the handling of device configuration. The issue arises due to the storage of configuration secrets in plaintext. Exploiting this vulnerability allows an attacker to expose stored credentials, leading to further compromise.
For complete technical details, visit this link.
How a Hacker Could Compromise the Vulnerable NETGEAR RAX30 Routers by String These Vulnerabilities?
Team82 illustrated how these vulnerabilities can be exploited to compromise vulnerable NETGEAR RAX30 Routers by string them together. Also said, attackers could bypass binary protection mechanisms such as stack canaries in their POC.
Image Source: claroty.com
How Does Exploit Chain Work?
Time needed: 10 hours.
In the realm of cybersecurity, a single vulnerability can be a gateway to major breaches, but an exploit chain, as recently demonstrated by Team82, is an entirely different level of threat. This group of researchers managed to chain together five Common Vulnerabilities and Exposures (CVEs) in NETGEAR’s Nighthawk RAX30 routers to achieve remote code execution. Here’s how they did it.
- Step One: Retrieving Device Serial Number by Unmasking Sensitive Information – CVE-2023-27357To kickstart the exploit chain, Team82 made use of CVE-2023-27357, which exposed sensitive information without the need for authentication. Leveraging this vulnerability, they managed to retrieve the device’s serial number – a crucial piece of information that would prove valuable later in the chain.
- Step Two: Sending Unrestricted Payloads by Bypassing Size Restrictions – CVE-2023-27369The next link in the chain was CVE-2023-27369, a stack overflow vulnerability in the SSL Read function. This vulnerability allowed the researchers to send an oversized HTTPS payload without any size restrictions, further paving the way for exploitation.
- Step Three: Overwriting Socket IP and Bypassing Authentication – CVE-2023-27368The third vulnerability, CVE-2023-27368, was another stack overflow, this time in the sscanf function. This allowed Team82 to craft a payload large enough to overwrite the socket IP, effectively bypassing authentication and granting them the ability to read the device configuration.
- Step Four: Extracting Plain Text Secrets – CVE-2023-27370CVE-2023-27370 was another critical link in the chain. This vulnerability exposed plain-text security questions and answers within the device’s configuration. Coupled with the serial number obtained earlier, Team82 was able to change the admin password, further deepening their control over the device.
- Step Five: Gaining Root Access – CVE-2023-27367After successfully changing the admin password, Team82 used it to send a magic packet that enabled a restricted telnet server on the device. The final piece of the puzzle was CVE-2023-27367, a vulnerability that allowed for a restricted shell escape. By exploiting this, they achieved root access to remote code execution on the device.
See Also Two Zero-Day Unpatched Vulnerabilities in TP-Link Routers
How to Fix 5 Vulnerabilities in NETGEAR RAX30 Router?
NETGEAR responded these vulnerabilities by releasing patches. Users of Netgear RAX30 routers are strongly recommended to update their firmware to version 1.0.10.94.
There could be different ways to upgrade the firmware. Firmware upgradation through the Nighthawk app is the easiest way to upgrade firmware. You can click here for more information. The second popular method is to upgrade firmware through the Web Browser. You can learn about upgrading firmware through a web browser from here. However, if you are on a corporate network manual firmware upgrade would be the best option to go with.
Method 1: How to Update the NETGEAR products using the Nighthawk app?
This method is best for home users.
- Download the Netgear app for your iOS or Android devices.
- Connect your smartphone to the WiFi network.
- Open the Netgear app.
- Login to the dashboard with router admin credentials.
- Tap on your router.
- Brose to Settings and hit on Check For Updates.
- If your device has updates, then you will see update enabled. Click on Update.
Method 2: How to Update the NETGEAR products using the Nighthawk app?
This method is good for homes, small shops, or small businesses where the devices are installed on the personal network.
- Connect your computer to your router through a wired or wireless connection.
- Open the web browser and browse routerlogin.net.
- Login to the web dashboard with router admin credentials.
- Select ADVANCED > Administration or Settings > Administration.
- Select Firmware Update or Router Update.
- Click Check.
- If your device has updates, then click Yes to upgrade the firmware.
Method 3: How to Update the NETGEAR products manually?
This is the preferable method for devices on the small to large size corporate network.
- Connect your system with an Ethernet cable or Wifi.
- Visit the NETGEAR Support.
- Input the Product Name or router’s Model Number.
- Click Downloads.
- Choose a firmware version and click Download.
- Enter routerlogin.net into the web browser.
- Enter the admin username and password.
- Select Advanced> Administration.
- Select Router Update or Firmware Update.
- Click Browse or Choose File. Locate and select the file that ends in .chk or .img.
- Click the Upload button. The firmware update starts, and the process takes a few minutes.