CVE-2019-20643

Vulnerability

CVE-2019-20643 is a sensitive information disclosure vulnerability affecting NETGEAR RAX40 routers running firmware versions prior to 1.0.3.64 [1]. The root cause is not publicly detailed in the advisory, but the attack vector is network-based, requires no authentication, yet has high attack complexity according to the CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H) [1].

Exploitation

An unauthenticated attacker with network access to the affected RAX40 device can exploit this vulnerability remotely. The CVSS vector indicates the attack complexity is high, suggesting the attacker must meet specific conditions or timing to trigger the code path that discloses sensitive information [1]. The advisory does not provide a concrete sequence of steps.

Impact

Successful exploitation results in the disclosure of sensitive information from the device. The CVSS impact metrics indicate high confidentiality impact, low integrity impact, and high availability impact, suggesting the attacker may obtain sensitive data, potentially modify some information, and affect device availability [1]. The privilege level is not specified, but the attack does not require authentication.

Mitigation

NETGEAR released firmware version 1.0.3.64 to fix this vulnerability on the RAX40 [1]. Users must download and install the latest firmware from NETGEAR Support to mitigate the flaw [1]. No workaround is provided if the device cannot be updated. The advisory does not mention an EOL status or KEV listing.