{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/986018#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nNetcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 contain two vulnerabilities.  The first is an authentication bypass vulnerability that allows an unauthenticated user to access content from both inside and outside the network. The second is a stack-based buffer overflow that allows an instruction pointer to be overwritten on the stack, thereby crashing the application at a known location. The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code. \r\n\r\n### Description\r\nNetcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 may contain two vulnerabilities: \r\n\r\n**CVE-2022-4873**\r\nA stack based buffer overflow affects the sessionKey parameter. By providing a specific number of bytes, the instruction pointer is able to be overwritten on the stack and crashes the application at a known location.\r\n\r\n**CVE-2022-4874**\r\nAuthentication bypass allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a \"fake login\" to give the request an active session to load the file and not redirect to the login page.\r\n\r\nThe tested models that were impacted are Netcomm routers using a Broadcom chipset that had third-party code added by Shenzhen Gongjin Electronics.  The third-party code introduced the vulnerabilities. These routers are  deployed by residential internet service providers.\r\n\r\n### Impact\r\nThe two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code.  The attacker can first gain unauthorized access to affected devices, and then use those entry points to gain access to other networks or compromise the availability, integrity, or confidentiality of data being transmitted from the internal network. The reporter has produced a [github PoC](https://github.com/scarvell/advisories/blob/main/2022_netcomm_nf20mesh_unauth_rce.md) that shows how to combine both vulnerabilities to achieve unauthenticated remote code execution.\r\n\r\n### Solution\r\nUpdate the router firmware to version R6B035 from the vendor website at [https://support.netcommwireless.com/products/NF20#Firmware](https://support.netcommwireless.com/products/NF20#Firmware).\r\n \r\n### Acknowledgements\r\nThanks to the reporter Brendan Scarvell for reporting this vulnerability.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"With thanks to the reporter, NetComm Wireless are aware of these vulnerabilites.\r\n\r\nThe issue has been traced to code provided by the chipset vendor (@broadcom) and affects multiple products including:- NF20, NF20MESH, NL1902\r\n\r\nNetComm Wireless are preparing FW releases which resolve these vulnerabilities for all affected products and we shall provide these to our customers as soon as they are validated.\r\n\r\nHowever, given the nature of the issue we are concerned that it may affect other vendors.","title":"Vendor statment from NetComm Wireless Limited"},{"category":"other","text":"These vulnerabilities do not exist in the Broadcom SDK code.   We have received confirmation that they were introduced in thirs party customizations specific to this product.","title":"Vendor statment from Broadcom"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/986018"},{"url":"https://github.com/scarvell/advisories/blob/main/2022_netcomm_nf20mesh_unauth_rce.md","summary":"https://github.com/scarvell/advisories/blob/main/2022_netcomm_nf20mesh_unauth_rce.md"},{"url":"https://support.netcommwireless.com/products/NF20#Firmware","summary":"https://support.netcommwireless.com/products/NF20#Firmware"}],"title":"New Netcomm router models NF20MESH, NF20, and NL1902 vulnerabilities","tracking":{"current_release_date":"2023-01-17T17:40:29+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#986018","initial_release_date":"2023-01-17 17:40:29.392133+00:00","revision_history":[{"date":"2023-01-17T17:40:29+00:00","number":"1.20230117174029.1","summary":"Released on 2023-01-17T17:40:29+00:00"}],"status":"final","version":"1.20230117174029.1"}},"vulnerabilities":[{"title":"Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content.","notes":[{"category":"summary","text":"Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a \"fake login\" to give the request an active session to load the file and not redirect to the login page."}],"cve":"CVE-2022-4874","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#986018"}],"product_status":{"known_affected":["CSAFPID-bf9eae20-39d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-bf9ef9de-39d8-11f1-8422-122e2785dc9f"]}},{"title":"On Netcomm router models NF20MESH, NF20, and NL1902 a stack based buffer overflow affects the sessionKey parameter.","notes":[{"category":"summary","text":"On Netcomm router models NF20MESH, NF20, and NL1902 a stack based buffer overflow affects the sessionKey parameter. By providing a specific number of bytes, the instruction pointer is able to be overwritten on the stack and crashes the application at a known location."}],"cve":"CVE-2022-4873","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#986018"}],"product_status":{"known_affected":["CSAFPID-bf9f7508-39d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-bf9fa690-39d8-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"NetComm Wireless Limited","product":{"name":"NetComm Wireless Limited Products","product_id":"CSAFPID-bf9eae20-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Broadcom","product":{"name":"Broadcom Products","product_id":"CSAFPID-bf9ef9de-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetComm Wireless Limited","product":{"name":"NetComm Wireless Limited Products","product_id":"CSAFPID-bf9f7508-39d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Broadcom","product":{"name":"Broadcom Products","product_id":"CSAFPID-bf9fa690-39d8-11f1-8422-122e2785dc9f"}}]}}