Silicon Valley vendor tackles command injection and MitM-to-RCE issues
Vulnerabilities in a third-party module within the firmware of NETGEAR routers and Orbi WiFi Systems could lead to arbitrary code execution on affected devices.
The component in question is FunJSQ, “a third-party gaming speed-improvement service” developed by China-based Xiamen Xunwang Network Technology, included in NETGEAR firmware images, according to a security advisory published yesterday (September 15) by European IoT security firm ONEKEY.
Now patched, the high severity flaws included an unauthenticated command injection flaw (CVE-2022-40619), and an insecure auto-update mechanism (CVE-2022-40620) that enabled manipulator-in-the-middle (MitM) attacks, potentially leading to remote code execution (RCE).
Read more of the latest hardware security news
The issues, which were both given a CVSS score of 7.7, can only be exploited if an attacker has the victim’s WiFi password or access to an Ethernet connection to the router, according to a NETGEAR advisory.
Moreover, ONEKEY indicated that FunJSQ is seemingly only enabled when the Quality of Service (QoS) feature, which prioritizes internet traffic for applications like VoIP or online gaming, is also activated.
Insecure auto-update
The insecure auto-update mechanism led to arbitrary code execution from the WAN interface due to a trio of issues.
First, insecure communications arose from the “explicit disabling of certificate validation (-k), which allows us to tamper with data returned from the server”, according to ONEKEY researchers.
Second, the “update packages are simply validated via a hash checksum, packages are not signed in any way”.
And finally, “arbitrary extraction to the root path with elevated privilege [allowed] whoever controls the update package to overwrite anything anywhere on the device (which puts a lot of trust in a third party supplier)”.
Command injection
The command injection issue was discovered during an investigation of apply_bind.cgi, which was exposed by HTTP server funjsq_httpd.
This endpoint accepted action_mode parameters that required an authentication token generated by a weak algorithm that used a hardcoded string and the device MAC address.
The resulting token was sent to a remote FunJSQ service for validation by curl.
“We found that the curl command line is built using the funjsq_access_tokenparameter value, which is user controlled and unsanitized prior to creating the full command line,” revealed the researchers.
Coordinated disclosure
ONEKEY reported the bug to NETGEAR on May 19, and the Silicon Valley vendor disclosed details of the flaw alongside firmware updates on September 9.
Affected router models include R6230, R6260, R7000, R8900, R9000, and XR300, while the vulnerable Orbi WiFi Systems models are RBR20, RBS20, RBR50, and RBS50.
ONEKEY said the research highlighted the supply chain threat posed by “undocumented and vulnerable software components in widely deployed embedded devices”.
The researchers urged vendors to “assure that all included third-party vendors adhere to at least the same cybersecurity standards” as their own.
YOU MIGHT ALSO LIKE WAPPLES web application firewall faulted for multiple flaws