Details of VAR-202305-0268

ID

VAR-202305-0268

CVE

CVE-2023-27367

TITLE

(Pwn2Own) NETGEAR RAX30 libcms_cli Command Injection Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-23-498

DESCRIPTION

NETGEAR RAX30 libcms_cli Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the libcms_cli module. The issue results from the lack of proper validation of a user-supplied command before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19838. NETGEAR RAX30 is a dual-band wireless router from NETGEAR

Trust: 2.07

sources: NVD: CVE-2023-27367 // ZDI: ZDI-23-498 // CNVD: CNVD-2024-33908

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-33908

AFFECTED PRODUCTS

vendor:

netgear

model:

rax30

scope:

version:

Trust: 1.3

sources: ZDI: ZDI-23-498 // CNVD: CNVD-2024-33908

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-27367
value:	HIGH
Trust: 1.0
ZDI:	CVE-2023-27367
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2024-33908
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-33908
severity:	HIGH
baseScore:	7.7
vectorString:	AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-27367
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.0
Trust: 1.0
ZDI:	CVE-2023-27367
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-498 // CNVD: CNVD-2024-33908 // NVD: CVE-2023-27367

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2023-27367

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348	Trust: 0.7
title:	Patch for NETGEAR RAX30 Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/574076	Trust: 0.6

sources: ZDI: ZDI-23-498 // CNVD: CNVD-2024-33908

EXTERNAL IDS

db:	NVD	id:	CVE-2023-27367	Trust: 2.3
db:	ZDI	id:	ZDI-23-498	Trust: 1.7
db:	ZDI_CAN	id:	ZDI-CAN-19838	Trust: 0.7
db:	CNVD	id:	CNVD-2024-33908	Trust: 0.6

sources: ZDI: ZDI-23-498 // CNVD: CNVD-2024-33908 // NVD: CVE-2023-27367

REFERENCES

url:	https://kb.netgear.com/000065619/security-advisory-for-multiple-vulnerabilities-on-the-rax30-psv-2022-0348	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-23-498/	Trust: 1.0
url:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-27367	Trust: 0.6

sources: ZDI: ZDI-23-498 // CNVD: CNVD-2024-33908 // NVD: CVE-2023-27367

CREDITS

Claroty Research - Vera Mens, Noam Moshe, Uri Katz, Sharon Brizinov

Trust: 0.7

sources: ZDI: ZDI-23-498

SOURCES

db:	ZDI	id:	ZDI-23-498
db:	CNVD	id:	CNVD-2024-33908
db:	NVD	id:	CVE-2023-27367

LAST UPDATE DATE

2024-08-14T13:52:32.310000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-498	date:	2023-05-01T00:00:00
db:	CNVD	id:	CNVD-2024-33908	date:	2024-07-30T00:00:00
db:	NVD	id:	CVE-2023-27367	date:	2024-05-03T12:50:34.250

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-498	date:	2023-05-01T00:00:00
db:	CNVD	id:	CNVD-2024-33908	date:	2024-07-25T00:00:00
db:	NVD	id:	CVE-2023-27367	date:	2024-05-03T02:15:15.250