CVE-2020-35802

Vulnerability

A sensitive information disclosure vulnerability exists in multiple NETGEAR devices, including CBR40, RBW30, RAX75, RAX80, RBS40V, and various Orbi WiFi system models (RBK752, RBR750, RBS750, RBK852, RBR850, RBS850, RBK842, RBR840, RBS840). The vulnerable firmware versions are: CBR40 before 2.5.0.14, RBW30 before 2.6.1.4, RAX75 and RAX80 before 1.0.3.102, Orbi models before 3.2.16.6, and RBS40V before 2.6.1.4 [1]. The exact nature of the sensitive information exposed and the vulnerable component are not disclosed in the available references.

Exploitation

Based on the official description [1], an attacker can exploit this vulnerability to access sensitive information. The required access level (e.g., network proximity, authentication status) and the specific attack vector are not detailed in the provided references. No publicly available exploit details or proof-of-concept have been disclosed.

Impact

Successful exploitation leads to the disclosure of sensitive information from the affected NETGEAR device. The specific type of information (e.g., credentials, configuration data, network details) is not specified in the references [1]. The confidentiality impact is partial, and there is no indication of integrity or availability impact.

Mitigation

NETGEAR has released fixed firmware versions for all affected products: CBR40 firmware version 2.5.0.14, RBW30 and RBS40V firmware version 2.6.1.4, RAX75 and RAX80 firmware version 1.0.3.102, and Orbi models (RBK752, RBR750, RBS750, RBK852, RBR850, RBS850, RBK842, RBR840, RBS840) firmware version 3.2.16.6 [1]. Users should download and install the latest firmware from NETGEAR Support as soon as possible. No workarounds are provided for unpatched versions.