Wofufuza zachitetezo wapeza ziwopsezo zazikulu 11 pazosintha zaposachedwa za firmware za ma routers a Netgear Nighthawk. Zowopsa zasinthidwa ndi Netgear. Mwachitsanzo, ma routers amasunga ma usernames ndi mapasiwedi m'mawu osavuta.
Zowopsa zomwe wofufuza Jimi Sebree wa kampani yachitetezo Tenable adapeza zili ku Nighthawk R6700v3 AC1750-firmware version 1.0.4.120 ndi Nighthawk RAX43, firmware version 1.0.3.96. Zowopsa zimasiyanasiyana, koma zonse ndizovuta kutsutsa malinga ndi wofufuzayo, komanso si onse omwe adasinthidwa ndi Netgear.
Chiwopsezo chovuta kwambiri chalembetsedwa ngati CVE-2021-45077 ya RS6700 ndi CVE-2021-1771 ya RAX43. Ma routers amasunga ma usernames ndi mapasiwedi a chipangizocho ndipo amapereka ntchito momveka bwino pa ma routers, komanso mawu achinsinsi a admin ali m'mawu omveka bwino mufayilo yayikulu yosinthira rauta, Sebree akulemba patsamba lake.
Kuphatikiza apo, pali chiopsezo kuti ma usernames ndi ma passwords alandidwa. Mu RS6700v3, chifukwa ma routers HTTP yokhazikikandipo, m'malo mwa Https, pazolumikizana zonse ndi mawonekedwe a intaneti. Komanso mawonekedwe a SOAP, pa doko 5000, amagwiritsa ntchito HTTP polumikizana, kulola kuti ma passwords ndi ma usernames asokonezedwe.
SOAP mawonekedwe
Kuphatikiza apo, ma rauta amatha kuyitanitsa jekeseni cholakwika cha jakisoni wa lamulo la post-authentication mu pulogalamu yosinthika ya chipangizocho. Kuyambitsa cheke chosinthira kudzera pa mawonekedwe a SOAP kumasiya chipangizochi kukhala pachiwopsezo cholandidwa kudzera pamakhalidwe omwe adakonzedweratu. Komanso, UART console osatetezedwa mokwanira, yomwe imalola aliyense amene ali ndi mwayi wogwiritsa ntchito chipangizocho kudzera pa doko la UART kuti agwirizane ndikuchita ntchito monga mizu yogwiritsira ntchito popanda kutsimikiziridwa.
Komanso, rauta imagwiritsa ntchito zidziwitso zolimba pazikhazikiko zina, kotero kuti wogwiritsa ntchito sangathe kusintha zosintha zina zachitetezo. Izi ndi zobisika, koma malinga ndi ofufuza zosavuta kupeza ndi zida zopezeka pagulu, kulola zoikamo kuti zisinthidwe ndi aliyense amene ali ndi mwayi wofikira rauta. Kuphatikiza apo, rauta imagwiritsa ntchito zovuta zingapo zodziwika m'malaibulale a jQuery ndi minidlna.exe, pomwe mitundu yaposachedwa ikupezeka.
Netgear Nighthawk R6700
Zofooka mu RS6700 zili ndi CVE 7.1 pa sikelo ya 1 mpaka 10. Ndizowopsa, koma osati zotsutsa. Chifukwa chachikulu ndikuti wowukirayo ayenera kukhala ndi mwayi wopezeka ndi rauta kuti agwiritse ntchito zofookazo. Kuphatikiza apo, kugwiritsa ntchito zofooka mu mawonekedwe a SOAP ndizotheka kokha ngati wowukira adalowa kale. Zowopsa za RAX43 zili ndi 8.8 mwa 10.
RAX43 imagwiritsanso ntchito HTTP mwachisawawa, akulemba Sebree, ndipo amagwiritsa ntchito malaibulale oyipa a jQuery ndi mtundu wosatetezeka wa minidlna.exe. Kuphatikiza apo, firmware ya RAX43 ili ndi chiopsezo chobwera chifukwa cha nsikidzi ziwiri. Yoyamba ndi kusatetezeka kwa buffer overrun, chachiwiri kukhala pachiwopsezo cha jakisoni wolamula. Kuphatikiza ziwirizi zimalola wina kuchita ntchito zakutali monga mizu, popanda kutsimikizika.
Netgear Nighthawk RAX43
Sebree akulemba kuti Tenable adadziwitsa Netgear za zofooka pa September 30. Ngakhale kuti Netgear poyamba adayankha lipoti la zowonongeka kumayambiriro kwa mwezi wa October, zinatenga nthawi yaitali kuti chilichonse chichitike. December 29, Netgear ikani chenjezo pazowopsa pa intaneti. Palinso pano zosintha za firmware kwa onse ma routers amaikidwa pa intaneti. Sebree adaganiza pa Disembala 30 kuti aulule zofookazo potengera kuwululidwa koyenera, ngakhale Netgear sanakankhirebe zosintha za firmware kwa ogwiritsa ntchito.
The Nighthawk RS6700 ndi ma routers angapo omwe amangogwiritsa ntchito kunyumba. Ili m'gulu la AC1750 Smart WiFi Router mu Pricewatch, ndipo yakhala ikupezeka kuyambira pa Julayi 31, 2019. mtundu wachitatu wa rauta. RAX43 yakhala ikupezeka kuyambira pa Disembala 30, 2020.