CVE-2022-24655 – A stack overflow vulnerability in the upnpd ser... (How to Fix)

Q: What is the severity of CVE-2022-24655?

CVE-2022-24655 has a CVSS score of 7.8 (HIGH). A stack overflow vulnerability in the upnpd service of affected Netgear devices allows unauthenticated attackers to execute arbitrary code remotely. This affects Netgear EX6100v1, CAX80, and DC112A devices with specific vulnerable firmware versions. Attackers can potentially take full control of the device without any authentication.

📋 TL;DR

A stack overflow vulnerability in the upnpd service of affected Netgear devices allows unauthenticated attackers to execute arbitrary code remotely. This affects Netgear EX6100v1, CAX80, and DC112A devices with specific vulnerable firmware versions. Attackers can potentially take full control of the device without any authentication.

💻 Affected Systems

Products:

Netgear EX6100v1
Netgear CAX80
Netgear DC112A

Versions: EX6100v1 201.0.2.28, CAX80 2.1.2.6, DC112A 1.0.0.62

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: upnpd service runs by default on these devices and is network-accessible

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, pivot to internal networks, or use device as part of botnet

🟠

Likely Case

Device takeover for credential theft, network reconnaissance, or launching attacks against other systems

🟢

If Mitigated

Limited impact if device is isolated or has additional network controls, but still vulnerable to local network attacks

🌐 Internet-Facing: HIGH - upnpd service is often exposed and vulnerable to remote unauthenticated exploitation

🏢 Internal Only: HIGH - Even internally, the vulnerability requires no authentication and can be exploited by any network-accessible attacker

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists on GitHub, making exploitation straightforward for attackers with basic skills

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Netgear security advisory for latest patched versions

Vendor Advisory: https://kb.netgear.com/000064615/Security-Advisory-for-Pre-Authentication-Command-Injection-on-EX6100v1-and-Pre-Authentication-Stack-Overflow-on-Multiple-Products-PSV-2021-0282-PSV-2021-0288

Restart Required: Yes

Instructions:

1. Log into Netgear device admin interface 2. Check for firmware updates 3. Download and install latest firmware 4. Reboot device after update

🔧 Temporary Workarounds

Disable UPnP service

all

Turn off Universal Plug and Play service to remove attack surface

Access device web interface -> Advanced -> UPnP -> Disable

Network segmentation

all

Isolate affected devices on separate VLAN with strict firewall rules

🧯 If You Can't Patch

Disconnect device from network or place behind strict firewall blocking all inbound traffic
Replace device with updated model or different vendor product

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device admin interface against vulnerable versions listed

Check Version:

Access device web interface -> Advanced -> Administration -> Firmware Update to view current version

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions and UPnP service is disabled if possible

📡 Detection & Monitoring

Log Indicators:

Multiple connection attempts to upnpd port (typically 1900/udp or 5000/tcp)
Unusual process execution or memory errors in system logs

Network Indicators:

Unusual traffic patterns to/from affected devices
Exploit payload patterns in network traffic

SIEM Query:

source_ip=* AND dest_port IN (1900, 5000) AND protocol IN (udp, tcp) AND bytes_sent > threshold

📊 Metadata

CVE ID: CVE-2022-24655

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/doudoudedi/Netgear_product_stack_overflow/blob/main/NETGEAR%20EX%20series%20upnpd%20stack_overflow.md Exploit,Patch,Third Party Advisory
https://kb.netgear.com/000064615/Security-Advisory-for-Pre-Authentication-Command-Injection-on-EX6100v1-and-Pre-Authentication-Stack-Overflow-on-Multiple-Products-PSV-2021-0282-PSV-2021-0288 Vendor Advisory
https://www.netgear.com/about/security/ Vendor Advisory
https://github.com/doudoudedi/Netgear_product_stack_overflow/blob/main/NETGEAR%20EX%20series%20upnpd%20stack_overflow.md Exploit,Patch,Third Party Advisory
https://kb.netgear.com/000064615/Security-Advisory-for-Pre-Authentication-Command-Injection-on-EX6100v1-and-Pre-Authentication-Stack-Overflow-on-Multiple-Products-PSV-2021-0282-PSV-2021-0288 Vendor Advisory
https://www.netgear.com/about/security/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24655, you might also want to check these: