CVE-2023-27357
📋 TL;DR
This vulnerability allows network-adjacent attackers to access sensitive information from NETGEAR RAX30 routers without authentication. The flaw exists in SOAP request handling where authentication checks are missing. Only NETGEAR RAX30 router users are affected.
💻 Affected Systems
- NETGEAR RAX30
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain router credentials, network configuration details, or other sensitive data that could lead to full network compromise, man-in-the-middle attacks, or lateral movement.
Likely Case
Local network attackers would gain access to router information that could be used for reconnaissance or to facilitate other attacks against the network.
If Mitigated
With proper network segmentation and firewall rules, the impact is limited to information disclosure from the router itself.
🎯 Exploit Status
Exploitation requires network adjacency but no authentication. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V1.0.10.94 or later
Vendor Advisory: https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install V1.0.10.94 or later. 4. Reboot router after update completes.
🔧 Temporary Workarounds
Disable remote management
allDisables web-based administration from the local network
Navigate to Advanced > Administration > Remote Management and disable
Network segmentation
allIsolate router management interface from general network traffic
Configure VLANs to separate management traffic from user traffic
🧯 If You Can't Patch
- Place router behind additional firewall with strict access controls
- Monitor network traffic for suspicious SOAP requests to router management interface
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface under Advanced > Administration > Firmware UpdateCheck Version:
Not applicable - check via web interfaceVerify Fix Applied:
Confirm firmware version is V1.0.10.94 or later in router admin interface📡 Detection & Monitoring
Log Indicators:
- Unusual SOAP requests to router management interface
- Multiple failed authentication attempts followed by successful information requests
Network Indicators:
- SOAP requests to router IP on management ports without preceding authentication
- Information disclosure patterns in network traffic
SIEM Query:
source_ip=local_network AND dest_ip=router_ip AND (protocol=http OR protocol=https) AND uri_contains="SOAP" AND NOT user_agent="browser"🔗 References
- https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348
- https://www.zerodayinitiative.com/advisories/ZDI-23-497/
- https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348
- https://www.zerodayinitiative.com/advisories/ZDI-23-497/
