Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Adjacent_network
1

CVE-2020-10923

Disclosure Date: July 28, 2020
CVE-2020-10923 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated
Privilege Escalation
Techniques
Validation
Validated

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000. A crafted UPnP message can be used to bypass authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9642.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Gives privileged accessUnauthenticatedVulnerable in default configurationRequires physical access
Technical Analysis

This was an authentication bypass in NETGEAR R6700 versions V1.0.2.8 and prior that was exploited by Pedro Ribeiro and Radek Domanski of Team Flashback in 2019’s Pwn2Own Tokyo competition. It occurs when network adjacent computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router, which does not appropriately validate that the user is logged in prior to performing the requested actions.

Whilst this vulnerability in and of itself doesn’t allow for remote code execution, its important to note that it is an authentication bypass that allows one to access the router as the Administrator user. Usually after you get this level of access, its considerably easier to start cracking open the security of the device as now its assumed your the Administrator and want to make these changes willingly, so the device generally will not attempt to check as many of your requests before performing your desired action, which can lead to additional security bugs that grant you code execution on the device.

In this case this is exactly what happened and CVE-2020-10924 can be used in combination with this bug to gain RCE on any vulnerable NEATGEAR R6700 router running firmware version V1.0.2.8 or prior to gain full control over the target device. It is therefore strongly recommended to patch this vulnerability alongside CVE-2020-10924 on any affected devices.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
R6700 V1.0.4.84_10.0.58
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
auxiliary/admin/http/netgear_r6700_pass_reset
Reporter
Unknown

Vendors

  • netgear

Products

  • r6700 firmware 1.0.4.84 10.0.58

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis