SB2023031011 - Multiple vulnerabilities in NETGEAR RAX devices
Published: March 10, 2023 Updated: April 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Link following (CVE-ID: CVE-2023-27850)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to a symlink following issue in the ReadyShare functionality. An attacker with physical access can reveal and modify arbitrary files on the device.
2) Code Injection (CVE-ID: CVE-2023-27851)
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within default share configurations. An attacker with physical access can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Buffer overflow (CVE-ID: CVE-2023-27852)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the rex_cgi, reset_pwd.cgi and tm_block.cgi. A remote attacker on the local network can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Buffer overflow (CVE-ID: CVE-2023-27853)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the soap_serverd service. A remote attacker on the local network can trigger memory corruption, perform a format string attack and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Cross-site request forgery (CVE-ID: CVE-2023-1205)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the web interface. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
6) Input validation error (CVE-ID: CVE-2023-27357)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the handling of SOAP requests. A remote attacker on the local network can pass specially crafted input to the device and execute arbitrary code on the system.
7) Improper Authentication (CVE-ID: CVE-2023-27358)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests within the handling of specific SOAP requests. A remote attacker on the local network can bypass authentication process and gain unauthorized access to the device.
8) OS Command Injection (CVE-ID: CVE-2023-27356)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the logCtrl action. A remote user on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
9) Command Injection (CVE-ID: CVE-2023-27367)
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation within the libcms_cli module. A remote user on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Stack-based buffer overflow (CVE-ID: CVE-2023-27368)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the soap_serverd binary. A remote unauthenticated attacker on the local network can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Stack-based buffer overflow (CVE-ID: CVE-2023-27369)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the soap_serverd binary. A remote unauthenticated attacker on the local network can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Cleartext storage of sensitive information (CVE-ID: CVE-2023-27370)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the storage of configuration secrets in plaintext. A remote user on the local network can gain access to stored credentials.
13) Configuration (CVE-ID: CVE-2023-27360)
The issue may allow a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the misconfiguration of the lighttpd HTTP server. A remote user on the local network can execute arbitrary code on the target device.
14) Link following (CVE-ID: CVE-2023-34283)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper handling of symbolic links on removable USB media. An attacker with physical access can create a symbolic link and gain unauthorized access to sensitive information on the system.
15) Use of hard-coded credentials (CVE-ID: CVE-2023-34284)
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code within the system configuration. A remote unauthenticated attacker on the local network can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote user on the local network trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://www.tenable.com/security/research/tra-2023-9
- https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348
- https://www.zerodayinitiative.com/advisories/ZDI-23-497/
- https://kb.netgear.com/000065617/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-PSV-2022-0349
- https://www.zerodayinitiative.com/advisories/ZDI-23-502/
- https://kb.netgear.com/000065618/Security-Advisory-for-Post-authentication-Command-Injection-on-Some-Routers-PSV-2022-0350
- https://www.zerodayinitiative.com/advisories/ZDI-23-503/
- https://www.zerodayinitiative.com/advisories/ZDI-23-498/
- https://www.zerodayinitiative.com/advisories/ZDI-23-499/
- https://jvn.jp/en/vu/JVNVU91883072/index.html
- https://www.zerodayinitiative.com/advisories/ZDI-23-500/
- https://www.zerodayinitiative.com/advisories/ZDI-23-501/
- https://www.zerodayinitiative.com/advisories/ZDI-23-496/
- https://kb.netgear.com/000065559/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0352
- https://kb.netgear.com/000065650/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2023-0003-PSV-2023-0004
- https://www.zerodayinitiative.com/advisories/ZDI-23-837/
- https://www.zerodayinitiative.com/advisories/ZDI-23-838/
- https://kb.netgear.com/000065649/Security-Advisory-for-Post-authentication-Buffer-Overflow-on-the-RAX30-PSV-2023-0002