PoC exploits released for Netgear router vulnerabilities

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Four vulnerabilities were recently disclosed, pertaining to the Netgear Orbi mesh wireless system, including the main hub and satellite routers.

The first of these vulnerabilities involved the Orbi Satellite, tracked as CVE-2022-37337 (CVSS v3: 9.1), which is a remotely exploitable command execution vulnerability in the access control functionality of the Netgear Orbi router. A Proof-of-Concept (PoC) has been released by Cisco Talos Intelligence for this vulnerability.

Two additional security flaws, tracked as CVE-2022-38452 (CVSS v3: 7.2) and CVE-2022-36429 (CVSS v3: 7.2), exist in the main Orbi router that could also lead to an arbitrary command execution if the threat actor sends a specially crafted network request or JSON object, respectively. CVE-2022-38452 is the only one of the four reported flaws that Netgear’s January firmware update did not address, so it remains unremedied. However, Cisco Talos has disclosed a PoC exploit for the vulnerability.

The final security issue, tracked as CVE-2022-38458 (CVSS v3: 6.5), also relates to the Orbi router. In this case, though, an adversary can carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information. A cleartext transmission problem impacting the Remote Management functionality of the Netgear Orbi router, enabling man-in-the-middle attacks that can lead to sensitive information disclosure.

It should be noted that the exploits require local access, valid login credentials, or the administrator console to be publicly accessible, for exploitation purposes.

Shodan searches have detected approximately 10,000 Orbi devices publicly accessible from the internet, with the majority located in the US. If any use the default administration credentials, they could potentially be vulnerable to attackers.

Impact

– CVE-2022-37337: A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. Successful exploitation via a specially-crafted HTTP request could lead to an arbitrary command execution.
– CVE-2022-38452: A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. Successful exploitation via a specially-crafted network request could lead to arbitrary command execution.
– CVE-2022-36429: A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. Successful exploitation via a specially-crafted JSON object can lead to arbitrary command execution.
– CVE-2022-38458: A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. Successful exploitation via a specially-crafted man-in-the-middle attack could lead to a disclosure of sensitive data.

Vulnerability Detection

Security patches have been released for the following three vulnerabilities: CVE-2022-37337, CVE-2022-36429 and CVE-2022-38458. However, a patch is still under development for CVE-2022-38452.

Additionally, the following Snort rules will detect exploitation attempts against this vulnerability:

– 60474 – 60477
– 60499

Affected Products

Netgear Orbi mesh wireless system, including the main hub and satellite routers.

Containment, Mitigations & Remediations

Owners of Netgear Orbi 750 devices are strongly recommended to manually check to determine if they are running the latest product version and, if not, to upgrade to version 4.6.14.3 as soon as possible.

Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed that these versions of the Orbi system could be exploited by these vulnerabilities.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Netgear has a significant portion of the network hardware market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, network hardware products can emerge as a prime target. Due to the fact that Netgear products have become an integral aspect of personal and business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0002 – Execution

Execution Technique:

T1203 – Exploitation for Client Execution

Further Information

Talos Intelligence Blog
Netgear Advisory