Executive Summary
| Summary | |
|---|---|
| Title | New Netcomm router models NF20MESH, NF20, and NL1902 vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | VU#986018 | First vendor Publication | 2023-01-17 |
| Vendor | VU-CERT | Last vendor Modification | 2023-01-17 |
| Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
|---|---|---|---|
| Overall CVSS Score | 9.8 | ||
| Base Score | 9.8 | Environmental Score | 9.8 |
| impact SubScore | 5.9 | Temporal Score | 9.8 |
| Exploitabality Sub Score | 3.9 | ||
| Attack Vector | Network | Attack Complexity | Low |
| Privileges Required | None | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | High | Availability Impact | High |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : | |||
|---|---|---|---|
| Cvss Base Score | N/A | Attack Range | N/A |
| Cvss Impact Score | N/A | Attack Complexity | N/A |
| Cvss Expoit Score | N/A | Authentication | N/A |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
OverviewNetcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 contain two vulnerabilities. The first is an authentication bypass vulnerability that allows an unauthenticated user to access content from both inside and outside the network. The second is a stack-based buffer overflow that allows an instruction pointer to be overwritten on the stack, thereby crashing the application at a known location. The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code. DescriptionNetcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 may contain two vulnerabilities: CVE-2022-4873 A stack based buffer overflow affects the sessionKey parameter. By providing a specific number of bytes, the instruction pointer is able to be overwritten on the stack and crashes the application at a known location. CVE-2022-4874 Authentication bypass allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a "fake login" to give the request an active session to load the file and not redirect to the login page. The tested models that were impacted are Netcomm routers using a Broadcom chipset that had third-party code added by Shenzhen Gongjin Electronics. The third-party code introduced the vulnerabilities. These routers are deployed by residential internet service providers. ImpactThe two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code. The attacker can first gain unauthorized access to affected devices, and then use those entry points to gain access to other networks or compromise the availability, integrity, or confidentiality of data being transmitted from the internal network. The reporter has produced a github PoC that shows how to combine both vulnerabilities to achieve unauthenticated remote code execution. SolutionUpdate the router firmware to version R6B035 from the vendor website at https://support.netcommwireless.com/products/NF20#Firmware. AcknowledgementsThanks to the reporter Brendan Scarvell for reporting this vulnerability. This document was written by Timur Snoke. |
Original Source
| Url : https://kb.cert.org/vuls/id/986018 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
| 50 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Os | 1 | |
| Os | 1 | |
| Os | 1 |
Alert History
| Date | Informations |
|---|---|
| 2023-01-19 21:35:33 |
|
| 2023-01-17 21:21:45 |
|
