Industrial and IoT cybersecurity firm Claroty has disclosed details about five vulnerabilities that can be chained together in an exploit, enabling threat actors to hack certain Netgear routers without needing authentication. These vulnerabilities were initially presented at the 2022 Pwn2Own Toronto hacking competition, where white hat hackers earned close to $1 million for their exploits, targeting devices such as smartphones, printers, NAS devices, smart speakers, and routers. Claroty's router exploit focused on Netgear's Nighthawk RAX30 SOHO router, earning the researchers $2,500 at the event. The vulnerabilities utilized in the exploit chain are identified as CVE-2023-27357, CVE-2023-27367, CVE-2023-27368, CVE-2023-27369, and CVE-2023-27370. Netgear released firmware version 220.127.116.11 in early April, which patched all the identified flaws.
Three of the vulnerabilities are classified as 'high severity,' and their exploitation can lead to remote code execution, authentication bypass, and command injection. When all these flaws are chained together, the impact can be significant. Claroty warned that, "Successful exploits could allow attackers to monitor users’ internet activity, hijack internet connections and redirect traffic to malicious websites, or inject malware into network traffic." Furthermore, an attacker could leverage these vulnerabilities to access and control networked smart devices such as security cameras, thermostats, and smart locks, as well as alter router settings, including credentials or DNS settings. A compromised network could also be used to launch attacks against other devices or networks.
One mitigating factor is that the execution of the exploit requires access to the LAN; it is not a WAN attack that can be executed from the internet. This is why the exploit earned a smaller reward at Pwn2Own. Netgear explained in its advisory that, "These vulnerabilities require an attacker to have your WiFi password or an Ethernet connection to your network to be exploited."