Cisco Discloses Details of Multiple Security Vulnerabilities in NETGEAR Orbi Router RBR750

Cisco’s Talos threat intelligence and research unit has disclosed the details of several critical vulnerabilities affecting the WiFi 6 router made by an American computer networking company, Netgear.

Talos researchers discovered that Netgear Orbi Router RBR750 is affected by four vulnerabilities, CVE-2022-37337 of which has been assigned a critical severity rating. The vulnerabilities have been found in Orbi Router RBR750 version 4.6.8.5 and were reported to Netgear in August last year. The vendor has released the patch for these flaws.

Image: Netgear

1. CVE-2022-38458 (CVSS3 score of 6.5, calculated by Cisco Talos): Cleartext Transmission Vulnerability

The first vulnerability discovered is a cleartext transmission issue within the RBR750’s Remote Management functionality. This allows an attacker to execute a man-in-the-middle attack, potentially disclosing sensitive information. The vulnerability arises when users attempt to access the router using an HTTP connection instead of HTTPS. Even though the router redirects users to an HTTPS connection, the initial request with user credentials is transmitted in cleartext, making it susceptible to interception.

2. CVE-2022-36429 (CVSS3 score of 7.2, calculated by Cisco Talos): Command Execution in Ubus Backend Communications

The Orbi Satellite RBS750 extends the Wi-Fi signal throughout the home and is vulnerable to arbitrary command execution due to a flaw in the ubus backend communications functionality. An attacker can exploit this vulnerability by sending a malicious JSON object, leading to unauthorized device control. The vulnerability is further exacerbated if the default web GUI password has not been changed or the attacker knows the password.

3. CVE-2022-38452 (CVSS3 score of 7.2, calculated by Cisco Talos): Hidden Telnet Service Vulnerability

Another vulnerability affecting the RBR750 router is a hidden telnet service that can be exploited for arbitrary command execution. This vulnerability can be triggered by sending a specially-crafted network request to the device. Despite recent hardware and software updates that seemingly removed the ability to enable this service, it still exists and can be activated, posing a significant security risk.

4. CVE-2022-37337 (CVSS3 score of 9.1, calculated by Cisco Talos): Access Control Command Execution 

Lastly, a command execution vulnerability exists in the access control functionality of the RBR750 router. An attacker can exploit this vulnerability by sending a specially-crafted HTTP request, which could lead to arbitrary command execution. The vulnerability stems from the dev_name parameter in the access control function, which is susceptible to command injection.

Protect your router

The security vulnerabilities discovered in the NETGEAR Orbi Router RBR750 pose significant risks to users. It is essential for users to be aware of these vulnerabilities, update their devices to the latest firmware, and take necessary precautions to secure their networks. Technical details and proof-of-concept (PoC) exploits have been made available for each vulnerability.