Researchers warns of an arbitrary code execution via FunJSQ, a third-party module for online game acceleration, that impacts multiple Netgear router models.
The analysis of various firmware allowed the researchers to discover the presence of the flawed module in NETGEAR devices (R9000, R7800, RAX200, RAX120, R6230, R6260, RAX40) and some Orbi WiFi Systems (RBR20, RBS20, RBR50, RBS50).
The experts discovered the following issues while analyzing the firmware used by the NETGEAR R7000.
- insecure communications due to explicit disabling of certificate validation (
-k), which allows us to tamper with data returned from the server
- update packages are simply validated via a hash checksum, packages are not signed in any way
- arbitrary extraction to the root path with elevated privileges, allowing whoever controls the update package to overwrite anything anywhere on the device
The overall update process relies on unsigned packages that are validated on the device using a hash checksum only. The module doesn’t rely on secure communication for the update process, which means that an attacker can tamper with the update packages.
The issue related to the insecure update mechanism was tracked as CVE-2022-40620, while the unauthenticated command injection flaw was tracked as CVE-2022-40619.
NETGEAR, fixed the issue in June, said that the vulnerabilities could be exploited only by an attacker with the knowledge of the victim’s WiFi password or an Ethernet connection to the victim’s router.
Users are recommended to update their devices as soon as possible. This research was documented by researchers from Onekey