Muongorori wezvekuchengetedza awana huwandu hwegumi neimwe hwakakomba kusagadzikana mune ichangoburwa firmware zvigadziriso zveNetgear Nighthawk routers. Kusagadzikana kwakagadziriswa neNetgear. Semuenzaniso, ma routers anochengeta mazita ekushandisa uye mapassword mumavara akajeka.
Kusagadzikana kwakawanikwa nemuongorori Jimi Sebree wekambani yekuchengetedza Tenable ari muNighthawk R6700v3 AC1750-firmware shanduro 1.0.4.120 uye muNighthawk RAX43, firmware version 1.0.3.96. Kusagadzikana kunosiyana, asi zvese zvakakomba kutsoropodza zvinoenderana nemuongorori, uyezve havasi vese vakaiswa zvigamba neNetgear.
Kunyanya kusagadzikana kwakanyoreswa seCVE-2021-45077 yeRS6700 uye CVE-2021-1771 yeRAX43. Iwo ma routers anochengeta mazita ekushandisa uye mapassword echishandiso uye akapihwa masevhisi mune akajeka pane ma routers, zvakare password ye admin iri mugwara mune yekutanga faira yekumisikidza ye router, Sebree anonyora pawebhusaiti yake.
Pamusoro pezvo, pane njodzi yekuti iwo mazita ekushandisa uye mapassword anozobatwa. Mune RS6700v3, nekuti ma routers kushandiswa kweHTTPuye, pachinzvimbo cheHttps, kune ese kutaurirana newebhu interface. Zvakare iyo SOAP interface, pachiteshi 5000, inoshandisa HTTP kutaurirana, zvichibvumira mapassword uye mazita ekushandisa kuti abatwe.
SOAP interface
Uyezve, iyo router iri panjodzi yekuraira jekiseni ne a post-authentication command injection error mune yekuvandudza software yemudziyo. Kuunza cheki yekuvandudza kuburikidza neSOAP interface inosiya mudziyo uri panjodzi yekutorwa kuburikidza ne preconfigured values. Zvakare, iyo UART console zvisina kuchengetedzwa zvakakwana, iyo inobvumira chero munhu ane ruzivo rwemuviri kune mudziyo kuburikidza neUART port kuti abatanidze uye aite mabasa semudzi wemushandisi pasina huchokwadi.
Zvakare, iyo router inoshandisa dzakaomesesa-coded zvitupa kune mamwe marongero, kuitira kuti mushandisi haagone kugadzirisa mamwe magadzirirwo ekuchengetedza. Izvi zvakavharidzirwa, asi maererano nevatsvakurudzi zviri nyore kuwana nematurusi anowanikwa pachena, achibvumira marongero kuti agadziriswe nemunhu wese ane mukana weiyo router. Uye zvakare, iyo router inoshandisa akati wandei anozivikanwa kusagadzikana mumaraibhurari ejQuery uye mu minidlna.exe, nepo dzimwe shanduro dzichangoburwa dziripo.
Netgear Nighthawk R6700
Kusagadzikana muRS6700 kune CVE mamakisi 7.1 pachiyero che 1 kusvika 10. Izvo zvakakomba, asi kwete kutsoropodza. Chikonzero chikuru ndechekuti munhu anorwisa anofanira kunge aine ruzivo rwemuviri kune router kuitira kuti ashandise kusasimba. Pamusoro pazvo, kushandisa vulnerabilities muSOAP interface zvinogoneka chete kana munhu anorwisa atopinda mukati. Kusagadzikana kweRAX43 kune zvibodzwa 8.8 kubva pagumi.
Iyo RAX43 inoshandisawo HTTP nekukasira, anonyora Sebree, uye iyo inoshandisa iyo yakaipa jQuery maraibhurari uye ine njodzi vhezheni ye minidlna.exe. Pamusoro pezvo, iyo RAX43 firmware ine kusazvibata kunokonzerwa nemabhugi maviri. Yekutanga ndeye buffer overrun vulnerability, yechipiri kuraira jekiseni kusagadzikana. Kubatanidza izvo zviviri zvinobvumira mumwe munhu kuita mabasa ari kure semudzi, pasina humbowo.
Netgear Nightawk RAX43
Sebree anonyora kuti Tenable akazivisa Netgear nezvekusagadzikana kweSeptember 30. Kunyange zvazvo Netgear pakutanga yakapindura mushumo wehurombo mukutanga kwaOctober, zvakatora nguva refu zvisati zvaitika chero chinhu pamusoro payo. Zvita 29, Netgear isa yambiro yekusagadzikana online. Kune zvakare ikozvino firmware inogadziridza for both ma routers akaiswa online. Sebree akafunga muna Zvita 30 kuburitsa kusazvibata pasi pechiratidziro chekuburitswa pachena, kunyangwe Netgear haisati yave kusundidzira zvigadziriso zve firmware kune vashandisi.
Iyo Nighthawk RS6700 nhevedzano yema routers anonyanya kunangwa pakushandisa pamba. Yakanyorwa se AC1750 Smart WiFi Router muPricewatch, uye yave kuwanikwa kubva munaChikunguru 31, 2019. vhezheni yechitatu yerouter. Iyo RAX43 yave kuwanikwa kubva Zvita 30, 2020.