Claroty reveals five vulnerabilities in NETGEAR RAX30 routers
Claroty's research arm, Team82, has disclosed five vulnerabilities in NETGEAR's RAX30 routers they discovered at the Pwn2Own Toronto hacking competition. Pwn2Own Toronto categories included smart small office and home office devices, including routers, network-attached storage, home automation hubs, smart speakers, and mobile phones.
Three identified high-severity vulnerabilities enable remote code execution, command injection, or authentication bypasses. Successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, redirect traffic to malicious websites, or inject malware into network traffic.
Team82 developed an exploit chain using all five vulnerabilities to exploit affected versions of the NETGEAR router while bypassing binary protection mechanisms like stack canaries.
“When conducting research for a Pwn2Own competition, it is not uncommon to discover multiple vulnerabilities in the targeted device or software. In fact, right at the beginning of our research, we identified several vulnerabilities that were trivially exploitable. However, since the competition reduces points for duplicate issues, we knew that simply reporting these vulnerabilities would not be enough. Instead, we decided to dig deeper and uncover more complex and novel vulnerabilities that would provide us with a competitive advantage. It didn’t take long before we found an easy to find but difficult to exploit vulnerability in the soap_serverd process running on port 5000. This process handles SOAP messages related to management functionality, mostly in the LAN,” notes Team82.
“This looked like a good candidate to exploit, since we assumed most teams would go for the easy wins. The vulnerability we found was a stack-based buffer overflow. This class of vulnerabilities is usually trivial to exploit when there are no stack protections. However, it turned out that a few versions back, Netgear decided to recompile all the binaries in the RAX30 router with stack canaries making the exploitation much harder.”
“Eventually we had to find and exploit five vulnerabilities in a cool chain that earned us five points in the Pwn2Own competition, where Team82 had success in a number of categories in addition to targeting routers. This exploit chain can be leveraged by an attacker to gain pre-authentication remote code execution on affected devices.”
Moreover, Team82's report says successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, redirect traffic to malicious websites, or inject malware into network traffic. An attacker could also use these vulnerabilities to access and control networked smart devices (security cameras, thermostats, smart locks), change router settings, including credentials or DNS settings, or use a compromised network to launch attacks against other devices or networks. "Users are urged to upgrade their RAX30 routers to address these vulnerabilities."
“Claroty secure cyber-physical systems across industrial, healthcare, and commercial environments: the Extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection, and secure remote access,” informs a company spokesperson.