In March, the Zero Day Initiative (ZDI) organized a competition called “Pwn2Own.” Several vulnerabilities were discovered during this event across various technology brands, including NetGear routers.
With the increasing threats targeting Internet of Things (IoT) devices, extensive research is being conducted to enhance their security measures.
Participating in the competition, cybersecurity solutions firm Claroty’s team82 focused on NetGear RAX30 routers and identified five high-severity vulnerabilities. These vulnerabilities could be exploited by malicious actors, enabling them to execute pre-authenticated remote code, inject commands, or bypass authentication.
The research team found that the router had a service called soap_serverd running on ports 5000 (HTTP) and 5043 (HTTPS) as API servers.
These servers handled SOAP messages related to management functionality, which were found to be vulnerable to a stack-based buffer overflow vulnerability. The vulnerabilities discovered by the research team are listed below:
An attacker could also use these vulnerabilities to access and control networked smart devices (security cameras, thermostats, smart locks), change router settings, including credentials or DNS settings, or use a compromised network to launch attacks against other devices or networks.
CVE-2023-27357: NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability:
This vulnerability exists due to the absence of authentication for the “GetInfo” command. The response to this command contains device information such as model, serial number, firewall version, VPN version, and more.
CVE-2023-27368: NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability:
This vulnerability arises from the soap_serverd service’s failure to check the data length.
The service first reads the HTTP headers and uses the sscanf function to extract the method, path, and HTTP version.
Although the absence of a length check opens the possibility for a stack-based buffer overflow vulnerability, the HTTP receive function on port 5000 checks the length of the HTTP header, limiting exploitability. However, the research team discovered a bypass for this limitation.
CVE-2023-27369: NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability:
As mentioned, the soap_serverd service runs on ports 5043 (HTTPS or SSL) and 5000 (HTTP). Both ports have different socket read and write functions.
Connected to the previous vulnerability (CVE-2023-27368), the SOAP message read by port 5043 calls a socket read function that fails to verify the number of bytes read.
Exploiting this socket read function allows a threat actor to trigger a stack overflow by sending a large amount of data, leading to a stack-based buffer overflow.
CVE-2023-27370: Using soap_serverd Auth Bypass to Reset the Admin Password:
During router setup, users are prompted to create a unique password for authentication and set security questions for password recovery in case of forgetfulness.
This information is stored in plain-text (base64) in the device configuration. By utilizing the three vulnerabilities mentioned above, an attacker can bypass authentication and execute the GetConfigInfo command, which retrieves all the necessary information to reset the administrator password.
CVE-2023-27367: Authentication Bypass to Remote Code Execution (RCE) Using Magic Telnet and Command Injection:
By default, the telnet service on port 23 is not enabled on NetGear routers.
However, a vulnerability previously discovered in the libcms_cli module fails to validate user-supplied commands before executing system calls.
The research team employed an “open-telnet-magic-packet” to enable port 23 on the router, but the Telnet interface is still restricted to specific commands.
They found that the TFTP command was not filtered before execution and connected to CVE-2023-27370. Thus, this TFTP interface could be exploited.
NETGEAR has released security advisories for these vulnerabilities and requested their customers upgrade their RAX30 routers to fix these vulnerabilities.