Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Adjacent_network
1

CVE-2020-10923

Disclosure Date: July 28, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated
Privilege Escalation
Techniques
Validation
Validated

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000. A crafted UPnP message can be used to bypass authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9642.

Add Assessment

2
Ratings
Technical Analysis

This was an authentication bypass in NETGEAR R6700 versions V1.0.2.8 and prior that was exploited by Pedro Ribeiro and Radek Domanski of Team Flashback in 2019’s Pwn2Own Tokyo competition. It occurs when network adjacent computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router, which does not appropriately validate that the user is logged in prior to performing the requested actions.

Whilst this vulnerability in and of itself doesn’t allow for remote code execution, its important to note that it is an authentication bypass that allows one to access the router as the Administrator user. Usually after you get this level of access, its considerably easier to start cracking open the security of the device as now its assumed your the Administrator and want to make these changes willingly, so the device generally will not attempt to check as many of your requests before performing your desired action, which can lead to additional security bugs that grant you code execution on the device.

In this case this is exactly what happened and CVE-2020-10924 can be used in combination with this bug to gain RCE on any vulnerable NEATGEAR R6700 router running firmware version V1.0.2.8 or prior to gain full control over the target device. It is therefore strongly recommended to patch this vulnerability alongside CVE-2020-10924 on any affected devices.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • NETGEAR

Products

  • R6700

Exploited in the Wild

Reported by:
Reported: November 25, 2020 5:36pm UTC (5 months ago)

Additional Info

Technical Analysis