If your Netgear Orbi router isn't patched, you'll want to change that pronto
/var/www/vhosts/lawyersinamerica.com/httpdocs/app/views/singleBlog/singleBlogView.php on line 59">
Biz & IT
Mar 2023
If you rely on Netgear's Orbi mesh wireless system to connect to the Internet, you'll want to ensure it's running the latest firmware now that exploit code has been released for critical vulnerabilities in older versions.
The Netgear Orbi mesh wireless system comprises a main hub router and one or more satellite routers that extend the network's range. By setting up multiple access points in a home or office, they form a mesh system that ensures Wi-Fi coverage is available throughout.
Remotely injecting arbitrary commands
Last year, researchers on Cisco's Talos security team discovered four vulnerabilities and privately reported them to Netgear. The most severe of the vulnerabilities, tracked as CVE-2022-37337, resides in the access control functionality of the RBR750. Hackers can exploit it to remotely execute commands by sending specially crafted HTTP requests to the device. The hacker must first connect to the device, either by knowing the SSID password or by accessing an unprotected SSID. The severity of the flaw is rated 9.1 out of a possible 10.
In January, Netgear released firmware updates that patched the vulnerability. Now, Talos published a proof-of-concept exploit code along with technical details.
"The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specified device when attempting to access the network," Talos researchers wrote. "However, the dev_name parameter is vulnerable to command injection."
The exploit code released is:
The device will respond with the following:
Two other vulnerabilities Talos discovered also received patches in January. CVE-2022-36429 is also a remote command execution flaw that can be exploited by sending a sequence of malicious packets that create a specially crafted JSON object. Its severity rating is 7.2.
The exploit begins by using the SHA256 sum of the password with the username 'admin' to return an authentication cookie required to start an undocumented telnet session:
The 'ubus_rpc_session' token needed to start the hidden telnet service will then appear:
The adversary then adds a parameter called 'telnet_enable' to start the telnet service:
The same password used to generate the SHA256 hash with the username 'admin' will then allow an attacker to log into the service:
The other patched vulnerability is CVE-2022-38458, with a severity rating of 6.5. It stems from the device prompting users to enter a password over an HTTP connection, which isn't encrypted. An adversary on the same network can then sniff the password.
