GEC NEWS WIRETenable has disclosed details of a network misconfiguration, identified by its ZeroDay Research Team, present in NETGEAR Nighthawk WiFi6 Router RAX30 AX2400 prior to V1.0.9.90. The flaw inadvertently allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device. This misconfiguration allows arbitrary access to any services running on the device and could potentially allow attackers to communicate with these devices from the internet as if they were on the consumer’s local network.
NETGEAR has issued a patch via its auto-update feature. However Tenable’s researcher found — at time of writing — that the device’s auto-update feature does not appear to recognise that updates are available beyond V1.0.6.74. Those consumers relying on the auto-update or “Check for Updates” mechanisms of these devices will remain vulnerable to this issue unless they manually apply the patch.
NETGEAR Router Network Misconfiguration
Last Minute Patch Thwarts Pwn2Own Entries
Entering Pwn2Own is a daunting endeavor. The targets selected are often popular, already picked over devices with their inclusion in the event only increasing the amount of security researcher eyes pouring over them. Not only that, but it’s not uncommon for vendors to release last minute patches for the included targets in an effort to thwart researcher findings. This year alone we see that both TP-Link and NETGEAR have released last minute updates to devices included in the event.
Unfortunately, we fell victim to this with regards to a planned submission for the NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400). The patch released by NETGEAR the day before the registration deadline dealt a deathblow to our exploit chain and unfortunately invalidated our submission. A few posts on Twitter appear to indicate that other contestants were also affected by this last minute patch.
That said, since the patch is publicly available, let’s talk about what changed!
While we aren’t aware of everything patched or changed in this update, we do know which flaw prevented our full exploit chain from working properly. Basically, a network misconfiguration present in versions prior to V1.0.9.90 of the firmware inadvertently allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device. For example, SSH and Telnet are operating on ports 22 and 23 respectively.
Prior to the patch, an attacker could interact with these services from the WAN port. After patching, however, we can see that the appropriate ip6tables rules have been applied to prevent access. Additionally, IPv6 now appears disabled by default on newly configured devices.
We’d also like to point out that – at the time of this writing – the device’s auto-update feature does not appear to recognize that updates are available beyond V1.0.6.74. Any consumers relying on the auto-update or “Check for Updates” mechanisms of these devices are likely to remain vulnerable to this issue and any other issues teased over the coming days of Pwn2Own Toronto 2022.
