Source: vulnreport@tenable.com
Netgear RAX43 version 1.0.3.96 makes use of hardcoded credentials. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted. This encryption is accomplished via a password-protected zip file with a hardcoded password (RAX50w!a4udk). By unzipping the configuration using this password, a user can reconfigure settings not intended to be manipulated, re-zip the configuration, and restore a backup causing these settings to be changed.
Netgear RAX43 routers are vulnerable to a critical security flaw due to the use of hardcoded credentials for configuration backups. An attacker can extract, modify, and restore the router's configuration, potentially gaining unauthorized access and control over the device and the network it protects.
Step 1: Backup Acquisition: The attacker obtains a configuration backup file from the vulnerable Netgear RAX43 router. This can be done through various means, including network scanning, phishing, or social engineering to trick a user into providing the backup file.
Step 2: Decryption: The attacker uses the hardcoded password ('RAX50w!a4udk') to decrypt the password-protected zip file containing the router's configuration.
Step 3: Configuration Modification: The attacker modifies the configuration files within the decrypted backup. This could involve changing administrative passwords, altering DNS settings to redirect traffic, or enabling remote access features.
Step 4: Re-encryption: The attacker re-zips the modified configuration files, using the same hardcoded password ('RAX50w!a4udk') to encrypt the backup again.
Step 5: Backup Restoration: The attacker uploads the modified and re-encrypted configuration backup to the Netgear RAX43 router and restores it. This overwrites the existing configuration with the attacker's modifications.
Step 6: Exploitation: The attacker leverages the modified configuration to gain unauthorized access, control the network, or perform other malicious activities.
The vulnerability stems from the use of a hardcoded password ('RAX50w!a4udk') to encrypt configuration backups. The router's firmware allows users to create and restore these backups. The encryption is implemented using a password-protected zip file. The flaw lies in the fact that the password is known, allowing an attacker to decrypt the backup, modify sensitive settings (potentially including administrative credentials, DNS settings, or firewall rules), re-zip the configuration with the same password, and then restore the modified backup. This bypasses intended security controls and allows for unauthorized configuration changes. The root cause is a lack of proper key management and the reliance on a static, easily discoverable password. There is no input validation or sanitization of the configuration data, allowing for arbitrary configuration changes.
While no specific APT groups are definitively linked to exploiting this vulnerability, the ease of exploitation and the potential impact (network compromise) make it attractive to various threat actors. The vulnerability could be used by financially motivated actors for botnet recruitment or ransomware deployment. Not listed on CISA KEV at this time.
Network traffic analysis: Monitor for unusual network activity originating from the router, such as unexpected outbound connections or changes in DNS resolution.
File integrity monitoring: Monitor the router's configuration files for unauthorized modifications. This requires access to the router's file system, which may not be possible without prior compromise.
Log analysis: Examine router logs for suspicious events, such as unauthorized configuration changes or failed login attempts.
Configuration backup analysis: Analyze configuration backups for any unexpected changes or modifications to sensitive settings.
IDS/IPS signatures: Implement signatures to detect attempts to exploit the vulnerability, such as attempts to download or upload configuration backups with known characteristics.
Upgrade Firmware: Update the Netgear RAX43 router to the latest firmware version that addresses the vulnerability. Check Netgear's website for available updates.
Disable Remote Management: Disable remote management access to the router to reduce the attack surface. If remote access is required, use strong passwords and enable multi-factor authentication.
Change Default Credentials: Change the default administrative password on the router to a strong, unique password.
Network Segmentation: Segment the network to limit the impact of a potential compromise. Place critical devices and data on a separate network segment.
Monitor Network Traffic: Implement network monitoring and intrusion detection systems to detect suspicious activity.
Regular Security Audits: Conduct regular security audits of the router and network to identify and address vulnerabilities.