Vulnerabilities in Netgear Nighthawk RAX30 routers

B2B Cyber ​​Security ShortNews

Share post

A combination of five vulnerabilities in Netgear Nighthawk RAX30 routers allows attackers to monitor and manipulate Internet traffic and take over connected smart devices.

Security researchers from Team82, the research department of cyber-physical systems (CPS) security specialist Claroty, have discovered five vulnerabilities in the widely used Netgear Nighthawk RAX2 router as part of the Pwn30Own competition.

Vulnerability Set opens the door

Successful exploitation of this set of vulnerabilities allows attackers to monitor users' Internet activities, hijack Internet connections and redirect traffic to malicious websites or inject malware into network traffic. In addition, cybercriminals can access and control connected smart devices such as security cameras, thermostats or smart locks, change router settings including login credentials or DNS settings, or use a compromised network to launch attacks on other devices or networks. Netgear has now patched all vulnerabilities and strongly advises users to update their RAX30 routers.

Netgear patches are available

🔎 By linking the five CVEs, affected Netgear RAX30 routers can be compromised (Image: Claroty).

Team82 security researchers discovered a stack-based buffer overflow vulnerability as part of the hacker competition. These types of vulnerabilities are usually easy to exploit in the absence of stack protections. However, Netgear has compiled all binaries in the RAX30 router with stack canaries, making exploitation much more difficult. Stack canaries are a widely used security mechanism that helps protect against buffer overflow attacks.

This places a small value on the stack (the so-called canary) that is checked for changes before a function returns. If the canary has been tampered with, the program terminates to prevent further attacks. In principle, this protective mechanism can be bypassed in three ways: by identifying another vulnerability that leaks the canary, by brute force (which is only possible in certain cases), and by a "logical" workaround that generates the overflow , before the canary is checked. Although the latter is often described as a circumvention, in practice there are only a few examples where this technique has been used successfully.

Do you have a moment?

Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!

You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.

Here you go directly to the survey
 

Team82 found a series of five vulnerabilities that logically bypassed the stack canary, allowing for an attack:

  • 1. CVE-2023-27357 (Sensitive information exposed without authentication) is used to determine the serial number of the device.
  • 2. CVE-2023-27369 (SSL read stack overflow) allows attackers to send an unlimited HTTPs payload.
  • 3. Use CVE-2023-27368 (sscanf stack overflow) to write a payload long enough to overwrite the socket IP, bypass authentication, and read the device configuration.
  • 4. CVE-2023-27370 (Plain text secrets in the configuration) is used to get the plain text security questions and answers. The admin password can be changed together with the serial number (step 1).
  • 5. After changing the password, a "magic packet" can be sent to activate a restricted telnet server on the device.
  • 6. Finally, CVE-2023-27367 (Restricted shell escape) gives attackers remote code execution with root access on the device.

By linking the five CVEs, affected RAX30 routers can be compromised. The most serious vulnerability is remote code execution before authentication on the device.

More at Sophos.com

 


About Claroty

Claroty, the Industrial Cybersecurity Company, helps its global customers discover, protect and manage their OT, IoT and IIoT assets. The company's comprehensive platform can be seamlessly integrated into customers' existing infrastructure and processes and offers a wide range of industrial cybersecurity controls for transparency, threat detection, risk and vulnerability management and secure remote access - with significantly reduced total cost of ownership.


 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more

New scam Deep Fake Boss

Unlike classic scams such as the email-based boss scam, the Deep Fake Boss method uses high-tech manipulation ➡ Read more

Classification of the LockBit breakup

European and American law enforcement authorities have managed to arrest two members of the notorious LockBit group. This important strike against the ransomware group ➡ Read more