[German]Netgear has released a last-minute patch to close a vulnerability in the firmware of the Nighthawk WiFi6 router (RAX30 AX2400) on December 1, 2022. A misconfiguration allowed attackers in router firmware prior to version V1.0.9.90 to communicate with these devices from the Internet as if they were on the consumer's local network. In addition, the firmware's auto-update function seems to be broken. Security provider Tenable has now published details about this.
Advertising
Tenable intended to use a vulnerability in Netgear routers on the Pwn2Own competition (December 6-8, 2022 in Toronto). But there was a last-minute patch from Netgear to close a vulnerability in the firmware of the Nighthawk WiFi6 router (RAX30 AX2400) on December 1, 2022. According to the manufacturer, the hotfix in the form of Netgear's RAX30 Firmware Version 1.0.9.90 addresses an unspecified vulnerability.
Tenable wrote that they actually wanted to exploit the vulnerability in a demo at the Pwn2Own contest. The fix released by Netgear effectively one day before the Pwn2Own registration deadline rendered their exploit ineffective. The security researchers have now published the details of the vulnerability, especially since the firmware's auto-update feature seems to be broken, as Tenable writes.
Misconfiguration in router firmware
The Tenable security researchers write that it is not known exactly what all Netgear patched with the hotfix. But the vulnerabilities in its own exploit chain have been closed. In firmware versions prior to version V1.0.9.90, attackers on Nighthawk WiFi6 routers (RAX30 AX2400) were able to have unrestricted communication with all services listening over IPv6 on the device's WAN port (facing the Internet) due to a network misconfiguration. For example, these services SSH and Telnet operate on ports 22 and 23, respectively.
Without the patch, an attacker could interact with these services through the WAN port. Combined with other known and unknown flaws, attackers could gain full remote access rights to the routers and expose all other devices on a consumer's network. After the patch, security researchers found that the appropriate ip6tables rules were applied to prevent access. Also, IPv6 is now disabled by default on newly configured devices.
Advertising
Auto-update seems broken
NETGEAR has issued a patch via its auto-update feature. However, security researchers at Tenable write that as of the writing of this article, the device's auto-update feature does not seem to recognize that updates are available beyond firmware version V1.0.6.74. Those users who rely on the automatic update or "check for updates" mechanisms on these devices will likely not receive the hotfix and the devices will remain vulnerable to this issue. The only solution is to install the patch manually.
