CVE-2022-48176

Vulnerability

The vulnerability is a pre-authentication stack overflow in the aws_json daemon, which runs as root on affected Netgear routers. The daemon fetches JSON data from the domain devicelocation.ngxcld.com over HTTPS upon startup. By placing malicious JSON content on a webserver and redirecting the router to download it (via DNS or TCP redirection), a buffer overflow can be triggered during parsing [1]. The vulnerability affects R6900P and R7000P before firmware version 1.3.3.154, and R7960P and R8000P before firmware version 1.4.4.94 [3].

Exploitation

An unauthenticated attacker on the WAN side can exploit this vulnerability without any credentials. The attacker must control a webserver and redirect the router's HTTP request to that server, either through DNS spoofing or TCP redirection. Once the router downloads the crafted JSON payload, the stack overflow occurs in the aws_json binary, enabling arbitrary code execution [1]. Per the vendor advisory, the attacker must have the WiFi password or an Ethernet connection to the router to be exploited, but the initial researcher disclosure indicates WAN-side exploitation is possible [1][3].

Impact

Successful exploitation grants an attacker full root privileges on the router. This allows complete compromise of the device, including the ability to intercept traffic, modify network settings, install malware, or pivot to other internal devices. The impact is pre-authentication remote code execution, affecting confidentiality, integrity, and availability of the device and potentially the network it serves [1].

Mitigation

Netgear has released fixed firmware versions for all affected models: R6900P and R7000P updated to version 1.3.3.154, and R7960P and R8000P updated to version 1.4.4.94 [3]. Users should download and install the latest firmware from the Netgear Support site immediately. No workarounds are available [3]. The fix was integrated by the vendor on November 1, 2022 [1].