Proof-of-concept exploits for vulnerabilities in Netgear’s Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug.
Netgear Orbi is a popular network mesh system for home users, providing strong coverage and high throughput on up to 40 simultaneously connected devices across spaces between 5,000 and 12,500 square feet.
The flaws in Netgear’s system were discovered by the Cisco Talos team and reported to the vendor on August 30, 2022. Cisco urges users to update their firmware to the latest version, 4.6.14.3, released on January 19, 2023.
The Orbi vulnerabilities
The first and most critical (CVSS v3.1: 9.1) flaw is tracked as CVE-2022-37337 and is a remotely exploitable command execution vulnerability in the access control functionality of the Netgear Orbi router.
An attacker can exploit publicly accessible admin consoles by sending a specially-crafted HTTP request to the vulnerable router to execute arbitrary commands on the device.
The Talos team has also published the following proof of concept (PoC) exploit for the flaw:
The second problem discovered by Cisco’s analysts is CVE-2022-38452, a high-severity remote command execution vulnerability in the router’s telnet service. The flaw’s exploitation requires valid credentials and a MAC address.
This is the only one of the four flaws that Netgear’s January firmware update did not address, so it remains unfixed. However, Cisco has disclosed a PoC exploit for it too.
The third vulnerability is CVE-2022-36429, a high-severity command injection in the backend communications functionality of the Netgear Orbi Satellite, which links to the router to extend the network coverage.
An attacker can exploit this flaw by sending a sequence of specially-crafted JSON objects to the device. However, retrieving an admin token is required for the attack to work.
Finally, Cisco’s analysts discovered CVE-2022-38458, a cleartext transmission problem impacting the Remote Management functionality of the Netgear Orbi router, enabling man-in-the-middle attacks that can lead to sensitive information disclosure.
At the time of the disclosure, Cisco wasn’t aware of any cases of active exploitation of the above flaws. However, considering the availability of a PoC for CVE-2022-37337, threat actors could attempt to find misconfigured, publicly accessible routers to exploit.
The good news is that these exploits require local access, valid login credentials, or the admin console to be publicly accessible, making it much harder to exploit the vulnerabilities.
However, a quick search using Shodan found almost 10,000 Orbi devices publicly accessible from the Internet, with the majority located in the United States. If any use the default admin credentials, they could potentially be vulnerable to attackers.
While Orbi does support the automatic installation of updates, on an Orbi seen by BleepingComputer, new firmware did not automatically install, and it was running software released in August 2022.
Therefore, owners of Netgear Orbi 750 devices should manually check to see if they are running the latest version, and if not, upgrade their firmware as soon as possible.
