Cisco kindly reveals proof of concept attacks for flaws in rival Netgear's kit

Public proof-of-concept exploits have landed for bugs in Netgear Orbi routers – including one critical command execution vulnerability. 

The four vulnerabilities are found in Netgear's Orbi mesh wireless system, including its main router and the satellite routers that extend Wi-Fi networks. Cisco Talos researchers disclosed these bugs to Netgear on August 30, 2022. Since the 90-day countdown has run its course on Cisco's vulnerability disclosure policy, the networking giant has publicly detailed the security flaws and posted proofs of concept (PoC) for three of them.

The good news: three of the four vulnerabilities have been patched. 

The bad news: Netgear is still working on a fix for the fourth bug, for which Cisco has helpfully provided a PoC exploit. As such, miscreants are probably scanning for exposed, vulnerable routers to attack. Thanks, Cisco!

The also good news, actually: exploiting it will require some work – and credentials.

Talos's Dave McDaniel discovered this unpatched vulnerability – tracked as CVE-2022-38452 – in the main Orbi router RBR750 4.6.8.5, and says it's due to a flaw in the hidden telnet service functionality. An attacker in possession of a username, password and media access control address of the device's br-lan interface can send a specially crafted network request to exploit this bug, which leads to arbitrary command execution.

At press time, Netgear had not responded to The Register's inquiries about when it will issue a fix, or if the bug has been found and exploited in the wild.

The most serious flaw of the bunch – CVE-2022-37337, for which a patch is available – is a 9.1-rated critical vulnerability in the access control functionality of the Orbi router RBR750 4.6.8.5. A remote, authenticated attacker could exploit this flaw by sending a specially crafted HTTP request to the router and then execute arbitrary commands on the device.

Luckily it only works if the user is authenticated, "meaning they'd need to access an unprotected network, or the login credentials of a password-protected network, for this attack to be successful," Talos's Jonathan Munshaw noted in a blog post.

• EnemyBot malware adds enterprise flaws to exploit arsenal
• Cisco's Talos security bods predict new wave of Excel Hell
• Netgear router flaws exploitable with authentication ... like the default creds on Netgear's website
• Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered

CVE-2022-36429, which affects the Orbi satellite router RBS750 4.6.8.5, can also lead to arbitrary command execution. It's due to a flaw in the ubus backend communications functionality, which allows the main router and satellite devices to communicate with each other. 

An attacker with access to the web GUI password – or default password if the user never changed it – could log into a hidden telnet service, send a specially crafted JSON object and then execute arbitrary commands on the device. Luckily there's a patch.

Finally CVE-2022-38458, a cleartext transmission vulnerability in the main Orbi router RBR750 4.6.8.5, can allow a miscreant to carry out a man-in-the-middle attack, which can lead to sensitive information disclosure. Netgear has issued a patch, and Cisco Talos did not publish a PoC for this one. ®