CVE-2023-34563

Vulnerability

A stack buffer overflow vulnerability exists in the httpd binary of Netgear R6250 firmware version 1.0.4.48. The flaw resides in the function FUN_000342c8, which is called by openvpn_mk_tar (symbol FUN_00034cb4). The function retrieves the ddns_netgear_hostname value from nvram and copies it into a stack buffer acStack_220 of only 512 bytes without any length check, leading to a buffer overflow [2]. The vulnerable code path is triggered when a user requests the OPENVPN.htm page, which invokes the function via the <%754%> syntax [2].

Exploitation

An attacker must first authenticate to the router's web interface. After obtaining valid credentials, they can send a crafted HTTP request to the OPENVPN.htm page with an overly long ddns_netgear_hostname value. The provided proof-of-concept (PoC) demonstrates that this overwrites the PC register and causes the httpd service to crash [2]. No additional user interaction is required beyond the initial authentication.

Impact

Successful exploitation results in a stack buffer overflow, leading to denial of service (crash of the httpd process). The PoC shows control of the program counter, indicating potential for arbitrary code execution within the context of the httpd service, which runs with elevated privileges on the router [2]. An attacker could leverage this to gain persistent access or further compromise the device.

Mitigation

As of the available references, no official patch or firmware update has been released by Netgear for this vulnerability. The vendor's security page [1] outlines a vulnerability reporting process but does not list a fix for CVE-2023-34563. The analysis [2] recommends adding a size check before copying ddns_netgear_hostname into the stack buffer. Users should monitor Netgear's security advisories for a future update and consider restricting administrative access to trusted networks only.