Umphandi wokhuseleko ufumene ubuthathaka obunzulu be-11 kuhlaziyo lwamva nje lwe-firmware yee-routers zeNetgear Nighthawk. Ubuthathaka bukhutshelwe yiNetgear. Ngokomzekelo, ii-routers zigcina amagama omsebenzisi kunye neephasiwedi kwi-plain text.
Ubuthathaka obufunyenwe ngumphandi uJimi Sebree wenkampani yokhuseleko iTenable buseNighthawk R6700v3 AC1750-Inguqulelo yefirmware 1.0.4.120 kunye ne-Nighthawk RAX43, i-firmware version 1.0.3.96. Ubuthathaka buyohluka, kodwa bonke bunzulu ekugxekeni ngokutsho komphandi, kwaye ngaphezu koko ayizizo zonke ezipeyiweyo nguNetgear.
Obona buthathaka bubaluleke kakhulu bubhaliswe njenge-CVE-2021-45077 ye-RS6700 kunye ne-CVE-2021-1771 ye-RAX43. Iirouters zigcina amagama omsebenzisi kunye neepassword zesixhobo kwaye zibonelele ngeenkonzo kumbhalo ocacileyo kwiirouters, kwakhona igama eligqithisiweyo lolawulo likwimibhalo ecacileyo kwifayile yoqwalaselo ephambili yerouter, USbree ubhala kwiwebhusayithi yakhe.
Ukongeza, kukho umngcipheko wokuba loo magama omsebenzisi kunye neephasiwedi ziya kubanjwa. Kwi-RS6700v3, kuba ii-routers usetyenziso olusemgangathweni lweHTTPkwaye, endaweni yeHttps, kulo lonke unxibelelwano nojongano lwewebhu. Kwakhona i-SOAP interface, kwi-port 5000, isebenzisa iHTTP yonxibelelwano, ivumela amagama ayimfihlo kunye namagama omsebenzisi ukuba amkelwe.
Ujongano lweSEPHA
Ngapha koko, i-router isesichengeni sokuyalela inaliti nge impazamo yokutofa yomyalelo wasemva koqinisekiso kwisoftware yohlaziyo yesixhobo. Ukuqalisa uqwalaselo lohlaziyo ngojongano lwe-SOAP kushiya isixhobo sisemngciphekweni wokuthathwa ngokusetyenziswa kwamaxabiso acwangcisiweyo. Kwakhona, ikhonsoli ye-UART ngokungafanelekanga, evumela nabani na onokufikelela ngokomzimba kwisixhobo ngokusebenzisa i-port ye-UART ukudibanisa kunye nokwenza imisebenzi njengomsebenzisi weengcambu ngaphandle kokuqinisekiswa.
Kwakhona, i-router isebenzisa iziqinisekiso ezinobunzima kwizicwangciso ezithile, ukwenzela ukuba umsebenzisi akakwazi ngokuqhelekileyo ukulungelelanisa izicwangciso ezithile zokhuseleko. Ezi zifihliwe, kodwa ngokutsho kwabaphandi kulula ukuyifumana ngezixhobo ezikhoyo esidlangalaleni, ezivumela iisetingi ukuba zihlengahlengiswe nguye nabani na onokufikelela kwi-router. Ukongeza, i-router isebenzisa ubuthathaka obaziwayo kwiilayibrari ze-jQuery nakwi-minidlna.exe, ngelixa iinguqulelo zamva nje zikhona.
INetgear Nighthawk R6700
Ubuthathaka kwi-RS6700 banenqaku le-CVE le-7.1 kwisikali se-1 ukuya kwi-10. Yinto enzulu, kodwa ayibalulekanga. Isizathu esona sizathu kukuba umhlaseli kufuneka abe nokufikelela ngokomzimba kwi-router ukuze asebenzise ubuthathaka. Ukongeza, ukuxhaphaza ubuthathaka kwi-interface ye-SOAP kunokwenzeka kuphela ukuba umhlaseli sele engenile. Ubuthathaka be-RAX43 bunamanqaku e-8.8 ngaphandle kwe-10.
I-RAX43 ikwasebenzisa iHTTP ngokungagqibekanga, ubhala uSebree, kwaye isebenzisa amathala eencwadi e-jQuery efanayo kunye noguqulelo olusesichengeni lwe minidlna.exe. Ukongeza, i-RAX43 firmware inomngcipheko obangelwa zizinambuzane ezimbini. Eyokuqala sisithintelo sokugqithiswa sesichengeni, okwesibini kubuthathaka benaliti yomyalelo. Ukudibanisa ezi zimbini kuvumela umntu ukuba enze imisebenzi ekude njengengcambu, ngaphandle kokuqinisekiswa.
I-Netgear Nighthawk RAX43
U-Sebree ubhala ukuba i-Tenable iye yazisa i-Netgear ye-vulnerabilities ngoSeptemba 30. Nangona i-Netgear ekuqaleni iphendule ingxelo yobuthathaka ekuqaleni kuka-Oktobha, kwathatha ixesha elide ngaphambi kokuba kwenziwe nantoni na. NgoDisemba 29, Netgear beka isilumkiso malunga nobuthathaka kwi-intanethi. Zikhona ngoku Uhlaziyo lwe-firmware zombini iirotha ezibekwe kwi-intanethi. U-Sebree ugqibe nge-30 kaDisemba ukuba aveze ubuthathaka phantsi kwesibhengezo sokubhengeza uxanduva, nangona iNetgear ingekalutyhaleli ngokusebenzayo uhlaziyo lwe-firmware kubasebenzisi.
I-Nighthawk RS6700 luluhlu lwee-routers ezijoliswe ikakhulu kusetyenziso lwasekhaya. Idweliswe njenge-AC1750 Smart WiFi Router kwi-Pricewatch, kwaye ibifumaneka ukususela nge-31 kaJulayi 2019. Ubuthathaka bukwi inguqulo yesithathu ye-router. I-RAX43 ikhona ukusukela nge-30 kaDisemba, 2020.