CVE-2024-28340

Vulnerability

An information leak vulnerability exists in the currentsetting.htm component of Netgear CBR40, CBK40, and CBK43 devices running firmware version 2.5.0.28 [1]. The component exposes sensitive configuration data over the network without requiring any authentication, allowing any unauthenticated remote attacker to retrieve the information.

Exploitation

An attacker does not require any prior authentication, network position neighbor proximity, or user interaction. By sending a direct HTTP request to the /currentsetting.htm endpoint on an affected device, the attacker can retrieve the device's configuration details. The exact sequence is a simple GET request without any session cookies or credentials.

Impact

Successful exploitation results in disclosure of sensitive device configuration information, including potentially Wi-Fi passwords, network SSIDs, and other settings. This constitutes a confidentiality breach, as the attacker obtains data that can be used for further compromise of the network or users' devices. The attacker gains no code execution or privilege elevation, but the leaked information can serve as a stepping stone for more severe attacks.

Mitigation

As of the publication date (2024-03-12), no fixed firmware version has been released [1]. Users are advised to monitor Netgear's security advisory page for updates. If the device supports manual downgrade, users may consider using a version prior to 2.5.0.28 if available. However, no official workaround or patch is documented in the provided references. The product may still be within its support lifecycle, but no specific mitigation steps are given [1].