Mofuputsi oa ts'ireletso o fumane kakaretso ea likotsi tse tebileng tse 11 lintlafatsong tsa morao-rao tsa firmware bakeng sa li-routers tsa Netgear Nighthawk. Bofokoli bo entsoe ke Netgear. Ka mohlala, li-routers li boloka li-username le li-password ka mokhoa o hlakileng.
Bofokoli boo mofuputsi Jimi Sebree oa k'hamphani ea ts'ireletso ea Tenable a bo fumaneng ho Nighthawk R6700v3 AC1750-Versionware ea firmware 1.0.4.120 le ho Nighthawk RAX43, firmware version 1.0.3.96. Bofokoli bo fapana, empa kaofela bo tebile ho nyatsa ho latela mofuputsi, 'me ho feta moo ha se bohle ba kileng ba patoa ke Netgear.
Kotsi ea bohlokoa ka ho fetisisa e ngolisitsoe e le CVE-2021-45077 bakeng sa RS6700 le CVE-2021-1771 bakeng sa RAX43. Li-routers li boloka li-username le li-password tsa sesebelisoa mme li fana ka lits'ebeletso ka mokhoa o hlakileng ho li-routers, le password ea admin e ngotsoe ka mokhoa o hlakileng faeleng ea mantlha ea tlhophiso ea router, Sebree o ngola webosaeteng ea hae.
Ho feta moo, ho na le kotsi ea hore li-usernames le li-passwords li tla amoheloa. Ho RS6700v3, hobane li-routers tšebeliso e tloaelehileng ea HTTPle, sebakeng sa Https, bakeng sa puisano eohle le sehokelo sa webo. Hape sebopeho sa SOAP, ho port 5000, e sebelisa HTTP bakeng sa puisano, ho lumella li-passwords le mabitso a basebelisi ho amoheloa.
Sebopeho sa SEPA
Ho feta moo, router e kotsing ea ho laela ente ka phoso ea ente ea taelo ea kamora netefatso ho software ea ntlafatso ea sesebelisoa. Ho etsa tlhahlobo ea ntlafatso ka sebopeho sa SOAP ho siea sesebelisoa se kotsing ea ho nkuoa ka litekanyetso tse reriloeng esale pele. Hape, console ea UART e sa sireletsehang ka tsela e sa lekaneng, e lumellang mang kapa mang ea nang le phihlello ea 'mele ho sesebelisoa ka koung ea UART ho hokahanya le ho etsa mesebetsi e le mosebelisi oa motso ntle le netefatso.
Hape, router e sebelisa lintlha tse ngotsoeng ka thata bakeng sa litlhophiso tse itseng, e le hore ka tloaelo mosebeletsi a se ke a fetola maemo a itseng a tšireletso. Tsena li patiloe, empa ho latela bafuputsi e batlang e le bonolo ho e fumana ka lisebelisoa tse fumanehang phatlalatsa, tse lumellang hore litlhophiso li lokisoe ke mang kapa mang ea nang le phihlello ea router. Ntle le moo, router e sebelisa likotsi tse 'maloa tse tsebahalang lilaebraring tsa jQuery le minidlna.exe, ha liphetolelo tsa morao-rao li fumaneha.
Netgear Nighthawk R6700
Bofokoli ho RS6700 bo na le lintlha tsa CVE tsa 7.1 sekaleng sa 1 ho isa ho 10. Seo se tebile, empa ha se bohlokoa. Lebaka le ka sehloohong ke hore mohlaseli o tlameha ho ba le phihlelo ea 'mele ho router e le hore a sebelise bofokoli. Ho feta moo, ho sebelisa hampe bofokoli ho sebopeho sa SOAP ho ka khoneha ha motho ea hlaselang a se a kene. The RAX43 vulnerabilities e na le lintlha tse 8.8 ho tse 10.
RAX43 e boetse e sebelisa HTTP ka boiketsetso, ho ngola Sebree, 'me e sebelisa lilaebrari tse tšoanang tse mpe tsa jQuery le mofuta o tlokotsing oa minidlna.exe. Ho feta moo, firmware ea RAX43 e na le ts'oaetso e bakoang ke likokoana-hloko tse peli. Ea pele ke ts'oaetso ea buffer overrun, ea bobeli ke ts'oaetso ea ente ea taelo. Ho kopanya tse peli ho lumella motho ho etsa mesebetsi e hole joalo ka motso, ntle le netefatso.
Netgear Nighthawk RAX43
Sebree o ngola hore Tenable o tsebisitse Netgear ka bofokoli ka September 30. Le hoja Netgear qalong e ile ea arabela tlaleho ea bofokoli mathoasong a October, ho ile ha nka nako e telele pele ho etsoa letho ka eona. La 29 Tšitoe, Netgear beha temoso bakeng sa bofokoli inthaneteng. Ho boetse ho na le hona joale Lisebelisoa tsa firmware bakeng sa bobeli li-routers tse behiloeng inthaneteng. Sebree o nkile qeto ka la 30 Tšitoe ho senola bofokoli ka lebaka la ho senola boikarabello, leha Netgear ha e so sutumelletse lintlafatso tsa firmware ho basebelisi.
Nighthawk RS6700 ke letoto la li-routers tse reretsoeng haholo ts'ebeliso ea lapeng. E thathamisitsoe e le AC1750 Smart WiFi Router ho Pricewatch, 'me esale e fumaneha ho tloha ka Phupu 31, 2019. Mefokolo e teng mofuta oa boraro oa router. RAX43 esale e fumaneha ho tloha ka la 30 Tšitoe 2020.