A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 22.214.171.124. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Netgear Orbi Router RBR750 126.96.36.199
Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-311 - Missing Encryption of Sensitive Data
The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.
An option exists in the Web Services Management tool to “Always use HTTPS to access the router”. However, if a user browses to
http://<router_ip>/ they are prompted for credentials before redirecting to HTTPS. In addition, the credentials must be valid in order for the redirect to proceed. Once redirected to HTTPS, the user is then prompted again for authentication, but this time over HTTPS.
2022-08-30 - Initial Vendor Contact
2022-09-05 - Vendor Disclosure
2023-01-19 - Vendor Patch Release
2023-03-21 - Public Release
Discovered by Dave McDaniel of Cisco Talos.