Vulnerabilities in Netgear Nighthawk RAX30 routers

A combination of five vulnerabilities in Netgear Nighthawk RAX30 routers allows attackers to monitor and manipulate Internet traffic and take over connected smart devices.

Security researchers from Team82, the research department of cyber-physical systems (CPS) security specialist Claroty, have discovered five vulnerabilities in the widely used Netgear Nighthawk RAX2 router as part of the Pwn30Own competition.

Vulnerability Set opens the door

Successful exploitation of this set of vulnerabilities allows attackers to monitor users' Internet activities, hijack Internet connections and redirect traffic to malicious websites or inject malware into network traffic. In addition, cybercriminals can access and control connected smart devices such as security cameras, thermostats or smart locks, change router settings including login credentials or DNS settings, or use a compromised network to launch attacks on other devices or networks. Netgear has now patched all vulnerabilities and strongly advises users to update their RAX30 routers.

Netgear patches are available

Team82 security researchers discovered a stack-based buffer overflow vulnerability as part of the hacker competition. These types of vulnerabilities are usually easy to exploit in the absence of stack protections. However, Netgear has compiled all binaries in the RAX30 router with stack canaries, making exploitation much more difficult. Stack canaries are a widely used security mechanism that helps protect against buffer overflow attacks.

This places a small value on the stack (the so-called canary) that is checked for changes before a function returns. If the canary has been tampered with, the program terminates to prevent further attacks. In principle, this protective mechanism can be bypassed in three ways: by identifying another vulnerability that leaks the canary, by brute force (which is only possible in certain cases), and by a "logical" workaround that generates the overflow , before the canary is checked. Although the latter is often described as a circumvention, in practice there are only a few examples where this technique has been used successfully.

 

Team82 found a series of five vulnerabilities that logically bypassed the stack canary, allowing for an attack:

• 1. CVE-2023-27357 (Sensitive information exposed without authentication) is used to determine the serial number of the device.
• 2. CVE-2023-27369 (SSL read stack overflow) allows attackers to send an unlimited HTTPs payload.
• 3. Use CVE-2023-27368 (sscanf stack overflow) to write a payload long enough to overwrite the socket IP, bypass authentication, and read the device configuration.
• 4. CVE-2023-27370 (Plain text secrets in the configuration) is used to get the plain text security questions and answers. The admin password can be changed together with the serial number (step 1).
• 5. After changing the password, a "magic packet" can be sent to activate a restricted telnet server on the device.
• 6. Finally, CVE-2023-27367 (Restricted shell escape) gives attackers remote code execution with root access on the device.

By linking the five CVEs, affected RAX30 routers can be compromised. The most serious vulnerability is remote code execution before authentication on the device.

More at Sophos.com

 

---

About Claroty

Claroty, the Industrial Cybersecurity Company, helps its global customers discover, protect and manage their OT, IoT and IIoT assets. The company's comprehensive platform can be seamlessly integrated into customers' existing infrastructure and processes and offers a wide range of industrial cybersecurity controls for transparency, threat detection, risk and vulnerability management and secure remote access - with significantly reduced total cost of ownership.

---

 

Matching articles on the topic