CVE-2022-27643

Vulnerability

The vulnerability is a buffer overflow in the handling of SOAP requests in the upnpd process of NETGEAR R6700v3 routers running firmware version 1.0.4.120_10.0.91. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. Authentication is not required. This issue affects multiple NETGEAR product models as listed in the advisory [1], with the R6700v3 being one of them.

Exploitation

An attacker needs to be network-adjacent (i.e., on the same WiFi network or connected via Ethernet) and can send a crafted SOAP request with an overly long SOAPAction header. No authentication or user interaction is required. The stack-based buffer overflow can be triggered by sending a malicious packet to the router's UPnP service (typically on port 5000).

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the root user, leading to full compromise of the device. This can result in disclosure of sensitive information, modification of router settings, denial of service, or use of the router in botnet operations.

Mitigation

NETGEAR has released firmware version 1.0.4.126 for the R6700v3 to fix this vulnerability [1]. Users should update to the latest firmware as soon as possible. The vulnerability was also disclosed by Zero Day Initiative as ZDI-22-519 and demonstrated at Pwn2Own 2022 [2]. No public exploit code is known, but the attack surface is significant due to the pre-authentication nature.