Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Netgear Nighthawk RAX43 Multiple Vulnerabilities

Critical

Synopsis

The following security-related issues have been found in the latest available firmware for the Nighthawk RAX43 consumer routing device (1.0.3.96 at the time of this writing).

Unauthenticated Command Injection / Authentication Bypass Buffer Overrun via LAN Interface

This vulnerability is a combination of two separate bugs.

The first of which is a buffer overrun in the URL parsing functionality of post requests intended for the cgi-bin endpoint.

When sending a POST request to the "cgi-bin" endpoint on the router, the request gets routed to a function that parses the URL, various path information, and parameters.

The structure of the expected URL is as follows: HTTP://<router LAN IP>/cgi-bin/<CGI name>.cgi?<query string>

The query string in the above appears to be a character array with a static size of 256. There is an additional character array in this parsing function that appears to handle what debug output calls PATH_INFO and what we have assumed to be an API path of sorts. Under normal circumstances, it does not appear that this PATH_INFO variable is ever set to anything other than NULL. Due to an erroneous strlcpy() call in this parsing function, however, it is possible to overflow the query string parameter and cause the PATH_INFO variable to be set, which causes the designated cgi binary to run based on the API path provided without authentication being required. We have assigned this issue a CVSS score of CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L under identifier CVE-2021-20166.

The second bug occurs in the readycloud_control.cgi binary. When accessing the "/api/users" API endpoint, the "name" parameter is passed unsanitized into a system() call, which results in command injection as root. It should be noted that readycloud functionality does not need to be explicitly enabled to trigger this command injection due to the aforementioned bypass bug. All default configurations are vulnerable to this, including devices that have remote management enabled via the WAN. Under normal circumstances, this API path requires authentication in order to access. We have assigned a CVSS score of CVSS:3.0/AV:A/AC:L/PR:S/UI:N/S:U/C:H/I:H/A:H to this issue with identifier CVE-2021-201667

By combining these two flaws, unauthenticated command injection as root becomes possible. The following proof of concept demonstrates both flaws in tandem:

POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1
Content-Length: 49

"name":"';$(id > /tmp/id);'",
"email":"[email protected]"

Default HTTP Communication - CVE-2021-20168

By default, all communication to/from the device is sent via HTTP, which causes potentially sensitive information (such as usernames and passwords) to be transmitted in cleartext. We recommend using HTTPS as the default.

We have assigned this issue a CVSS score of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

Insufficient UART Protection Mechanisms - CVE-2021-20169

A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are admin:admin. We recommend disabling this UART console for production runs, or at least enforcing the same password mechanisms used for other functionality in the device (such as the web UI).

We have assigned this issue a CVSS score of CVSS:3.0/AV: P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Configuration Manipulation via Hardcoded Encryption Key - CVE-2021-20170

It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted. This encryption is accomplished via a password-protected zip file with a hardcoded password (RAX50w!a4udk). By unzipping the configuration using this password, a user can reconfigure settings not intended to be manipulated, re-zip the configuration, and restore a backup causing these settings to be changed.

We have assigned this issue a CVSS score of CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H.

Plaintext Password Storage - CVE-2021-20171

All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device.

We have assigned this issue a CVSS score of CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Multiple Instances of Known Vulnerable jQuery Libraries

Several instances of jQuery libraries known to contain vulnerabilities are still in use (such as jquery 1.4.2).

Known Vulnerable minidlna.exe Service

The version of minidlna.exe running on the device contains publicly known vulnerabilities.

Solution

Apply vendor-supplied patches once available. Tenable has not been made aware of available patches at the time of this writing.

Disclosure Timeline

September 30, 2021 - Tenable discloses to vendor.
October 4, 2021 - Vendor provides formal acknowledgment.
October 26, 2021 - Tenable requests status update.
November 12, 2021 - Vendor provides status update and requests clarification. Tenable provides clarification.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID
TRA-2021-55
Credit

Evan Grant, Jimi Sebree

CVSSv3 Base / Temporal Score
8.8 / 8.2
CVSSv3 Vector
AV:A/AC:L/PR:S/UI:N/S:U/C:H/I:H/A:H
Affected Products
Netgear Nighthawk RAX43
Risk Factor
Critical

Advisory Timeline

December 30, 2021 - Initial release.
tenable.io

FREE FOR 30 DAYS


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

Buy Tenable.cs

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.