Pierluigi Paganini September 18, 2022

Multiple Netgear router models are impacted by an arbitrary code execution via FunJSQ, which is a third-party module for online game acceleration.

Researchers at security and compliance assessment firm Onekey warns of an arbitrary code execution via FunJSQ, which is a third-party module developed by Xiamen Xunwang Network Technology for online game acceleration, that impacts multiple Netgear router models.

The FunJSQ module is used in various Netgear routers and Orbi WiFi systems, the issues affecting it were discovered in May 2022 and are now fixed. The analysis of various firmware allowed the researchers to discover the presence of the flawed module in NETGEAR devices (R9000, R7800, RAX200, RAX120, R6230, R6260, RAX40) and some Orbi WiFi Systems (RBR20, RBS20, RBR50, RBS50). 

“Back in May 2022, we discovered FunJSQ, a third-party gaming speed-improvement service by China-based Xiamen Xunwang Network Technology Co., Ltd., present in the majority of NETGEAR firmware images in our corpus.” reads the post published by the experts. “The plot thickened as we dug more into it and we ended up performing full-on vulnerability research against it. We identified multiple issues affecting this third-party component that could lead to arbitrary code execution from LAN and WAN interfaces.”

The experts discovered the following inssued while analyzing the firmware used by the NETGEAR R7000.

• insecure communications due to explicit disabling of certificate validation (-k), which allows us to tamper with data returned from the server
• update packages are simply validated via a hash checksum, packages are not signed in any way
• arbitrary extraction to the root path with elevated privileges, allowing whoever controls the update package to overwrite anything anywhere on the device (which puts a lot of trust in a third party supplier)

Basically the overall update process relies on unsigned packages that are validated on the device using a hash checksum only. Experts also discovered that the module doesn’t rely on secure communication for the update process, which means that an attacker can tamper with the update packages.

The issue related to the insecure update mechanism was tracked as CVE-2022-40620, while the unauthenticated command injection flaw was tracked as CVE-2022-40619.

“All of these combined can lead to arbitrary code execution from the WAN interface.” reads the analysis published by Onekey.

NETGEAR, which fixed the issue in June, pointed out that the vulnerabilities could be exploited only by an attacker with the knowledge of the victim’s WiFi password or an Ethernet connection to the victim’s router.

“NETGEAR is aware of vulnerabilities in FunJSQ, a third-party module integrated on some routers and Orbi WiFi Systems. This vulnerability requires an attacker to have your WiFi password or an Ethernet connection to your router to be exploited.” reads the advisory published by NETGEAR.

Users are recommended to update their devices as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NETGEAR)

[adrotate banner=”5″]

[adrotate banner=”13″]