CVE-2023-0862
📋 TL;DR
Authenticated users can exploit path traversal vulnerabilities in NetModule NSRW web administration interface to upload malicious files to the web root directory, leading to remote command execution with elevated privileges. This affects NSRW devices running vulnerable firmware versions. Attackers could gain full control of affected devices.
💻 Affected Systems
- NetModule NSRW
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise with administrative privileges, allowing attackers to steal credentials, pivot to internal networks, deploy ransomware, or create persistent backdoors.
Likely Case
Attackers gain shell access to the device, enabling data exfiltration, network reconnaissance, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent authenticated attackers from reaching the interface.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Path traversal to arbitrary file upload is a well-understood attack pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.0.119, 4.4.0.118, 4.6.0.105, 4.7.0.103
Vendor Advisory: https://share.netmodule.com/public/system-software/4.7/4.7.0.103/NRSW-RN-4.7.0.103.pdf
Restart Required: Yes
Instructions:
1. Download the appropriate patched firmware version from NetModule's support portal. 2. Backup current configuration. 3. Upload and install the firmware update via the web interface. 4. Reboot the device. 5. Verify the new firmware version is running.
🔧 Temporary Workarounds
Restrict Web Interface Access
linuxLimit access to the web administration interface to trusted IP addresses only using firewall rules.
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Web Interface
linuxTemporarily disable the web administration interface if remote management is not required.
systemctl stop httpd
systemctl disable httpd
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NSRW devices from critical networks.
- Enforce strong authentication policies and monitor for suspicious login attempts to the web interface.
🔍 How to Verify
Check if Vulnerable:
Check the firmware version in the web interface under System > Information. Compare against affected version ranges.Check Version:
curl -k https://DEVICE_IP/api/system/info | grep versionVerify Fix Applied:
Verify the firmware version matches or exceeds the patched versions: 4.3.0.119, 4.4.0.118, 4.6.0.105, or 4.7.0.103.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity in web server logs
- Multiple failed authentication attempts followed by successful login
- Suspicious POST requests to file upload endpoints with path traversal patterns
Network Indicators:
- Unexpected outbound connections from NSRW devices
- Traffic to known malicious IPs or domains
SIEM Query:
source="nsrw_web_logs" AND (uri="*../*" OR method="POST" AND uri="*/upload*" AND status=200)🔗 References
- https://onekey.com/blog/security-advisory-netmodule-multiple-vulnerabilities/
- https://share.netmodule.com/public/system-software/4.7/4.7.0.103/NRSW-RN-4.7.0.103.pdf
- https://onekey.com/blog/security-advisory-netmodule-multiple-vulnerabilities/
- https://share.netmodule.com/public/system-software/4.7/4.7.0.103/NRSW-RN-4.7.0.103.pdf
