NETGEAR RAX30 USB Share Link Following Information Disclosure Vulnerability
CVE-2023-34283

4.6MEDIUM

Key Information:

Vendor: Netgear
Status: Rax30
Vendor: CVE Published:; 3 May 2024

Summary

A significant information disclosure vulnerability has been identified in NETGEAR RAX30 routers, stemming from the improper handling of symbolic links on removable USB devices. This flaw enables a physically present attacker to create symbolic links that manipulate the router's web server into revealing arbitrary local files. The absence of authentication requirements magnifies the risk, as any individual with physical access can potentially leverage this vulnerability to access sensitive information in the context of root. For more information, refer to the advisories from the Zero Day Initiative and NETGEAR's security resources.

Affected Version(s)

RAX30 1.0.9.92_1

References

https://www.zerodayinitiative.com/advisories/ZDI-23-837/

x_research-advisory

https://kb.netgear.com/000065650/Security-Advisory-for-Mu...

vendor-advisory

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
May 31, 2023