search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

New Netcomm router models NF20MESH, NF20, and NL1902 vulnerabilities

Vulnerability Note VU#986018

Original Release Date: 2023-01-17 | Last Revised: 2023-01-17

Overview

Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 contain two vulnerabilities. The first is an authentication bypass vulnerability that allows an unauthenticated user to access content from both inside and outside the network. The second is a stack-based buffer overflow that allows an instruction pointer to be overwritten on the stack, thereby crashing the application at a known location. The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code.

Description

Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 may contain two vulnerabilities:

CVE-2022-4873 A stack based buffer overflow affects the sessionKey parameter. By providing a specific number of bytes, the instruction pointer is able to be overwritten on the stack and crashes the application at a known location.

CVE-2022-4874 Authentication bypass allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a "fake login" to give the request an active session to load the file and not redirect to the login page.

The tested models that were impacted are Netcomm routers using a Broadcom chipset that had third-party code added by Shenzhen Gongjin Electronics. The third-party code introduced the vulnerabilities. These routers are deployed by residential internet service providers.

Impact

The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code. The attacker can first gain unauthorized access to affected devices, and then use those entry points to gain access to other networks or compromise the availability, integrity, or confidentiality of data being transmitted from the internal network. The reporter has produced a github PoC that shows how to combine both vulnerabilities to achieve unauthenticated remote code execution.

Solution

Update the router firmware to version R6B035 from the vendor website at https://support.netcommwireless.com/products/NF20#Firmware.

Acknowledgements

Thanks to the reporter Brendan Scarvell for reporting this vulnerability.

This document was written by Timur Snoke.

Vendor Information

986018
 
Expand all

NetComm Wireless Limited Affected

Notified:  2022-11-02 Updated: 2023-01-17

Statement Date:   November 07, 2022

CVE-2022-4873 Affected
CVE-2022-4874 Affected

Vendor Statement

With thanks to the reporter, NetComm Wireless are aware of these vulnerabilites.

The issue has been traced to code provided by the chipset vendor (@broadcom) and affects multiple products including:- NF20, NF20MESH, NL1902

NetComm Wireless are preparing FW releases which resolve these vulnerabilities for all affected products and we shall provide these to our customers as soon as they are validated.

However, given the nature of the issue we are concerned that it may affect other vendors.

Broadcom Not Affected

Notified:  2022-11-02 Updated: 2023-01-17

Statement Date:   November 17, 2022

CVE-2022-4873 Not Affected
Vendor Statement:
After attempts to duplicate this issue on Broadcom reference code, Broadcom has received confirmation from our customer that this particular vulnerability was introduced in software changes outside of Broadcom's hands.
CVE-2022-4874 Not Affected
Vendor Statement:
After attempts to duplicate this issue on Broadcom reference code, Broadcom has received confirmation from our customer that this particular vulnerability was introduced in software changes outside of Broadcom's hands.

Vendor Statement

These vulnerabilities do not exist in the Broadcom SDK code. We have received confirmation that they were introduced in thirs party customizations specific to this product.

Shenzhen Gongjin Electronics Unknown

Notified:  2022-11-17 Updated: 2023-01-17

CVE-2022-4873 Unknown
CVE-2022-4874 Unknown

Vendor Statement

We have not received a statement from the vendor.


References

Other Information

CVE IDs: CVE-2022-4873 CVE-2022-4874
API URL: VINCE JSON | CSAF
Date Public: 2023-01-17
Date First Published: 2023-01-17
Date Last Updated: 2023-01-17 17:40 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis