CVE-2023-38928

Vulnerability

A command injection vulnerability exists in the password parameter of the /cgi-bin/usb_remote_invite.cgi endpoint on Netgear R7100LG routers running firmware version 1.0.0.78 [2]. The input is not properly sanitized before being used in a system command, allowing an attacker to inject arbitrary operating system commands. The vulnerability is related to improper handling of user-controlled format strings (CWE-134) in functions FUN_00077d70 and FUN_00077ea8 [2].

Exploitation

An attacker can trigger the vulnerability by sending a crafted HTTP POST request to the usb_remote_invite.cgi endpoint with a malicious password parameter containing command injection payloads [2]. No authentication is required, as the endpoint is accessible without prior login. The attacker only needs network access to the device's web interface (typically on port 80 or 443). The injected commands are executed as root [2].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the router's operating system with root privileges [2]. This can lead to full compromise of the device, including access to all network traffic traversing the router, modification of router configuration, installation of persistent malware, and potentially pivoting into the internal network. The vulnerability presents a critical risk as it can be exploited remotely without authentication.

Mitigation

As of the publication date (2023-08-07), NETGEAR has not released a security advisory or firmware update for this vulnerability on their security portal [1]. The affected firmware version 1.0.0.78 is the latest at the time of disclosure [2]. Users should monitor NETGEAR's security advisory page for a future patch [1]. No known workarounds have been disclosed. The device is not listed in CISA's Known Exploited Vulnerabilities catalog as of this publication.