CVE-2020-10923

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000. A crafted UPnP message can be used to bypass authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9642.

Recent assessments:

gwillcox-r7 at November 25, 2020 5:36pm UTC reported:

This was an authentication bypass in NETGEAR R6700 versions V1.0.2.8 and prior that was exploited by Pedro Ribeiro and Radek Domanski of Team Flashback in 2019’s Pwn2Own Tokyo competition. It occurs when network adjacent computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router, which does not appropriately validate that the user is logged in prior to performing the requested actions.

Whilst this vulnerability in and of itself doesn’t allow for remote code execution, its important to note that it is an authentication bypass that allows one to access the router as the Administrator user. Usually after you get this level of access, its considerably easier to start cracking open the security of the device as now its assumed your the Administrator and want to make these changes willingly, so the device generally will not attempt to check as many of your requests before performing your desired action, which can lead to additional security bugs that grant you code execution on the device.

In this case this is exactly what happened and CVE-2020-10924 can be used in combination with this bug to gain RCE on any vulnerable NEATGEAR R6700 router running firmware version V1.0.2.8 or prior to gain full control over the target device. It is therefore strongly recommended to patch this vulnerability alongside CVE-2020-10924 on any affected devices.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3