CVE-2019-12511

Name of the Vulnerable Software and Affected Versions: NETGEAR Nighthawk X10-R9000 versions prior to 1.0.4.26

Description: The issue allows an attacker to execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. This requires QoS and advanced QoS to be enabled, and a valid authentication JWT. However, additional vulnerabilities allow an attacker to interact with the entire SOAP API without authentication. DNS rebinding techniques may be used to exploit this issue remotely. The payload has several limitations, including a 17 character limit, the need for at least one colon, a single-quote and meta-character to break out of the existing command, and the requirement for all-caps. Despite these limitations, it is possible to gain access to an interactive root shell.

Recommendations: For NETGEAR Nighthawk X10-R9000 versions prior to 1.0.4.26, update to version 1.0.4.26 or later to resolve the issue. As a temporary workaround, consider disabling the AdvancedQoS:GetCurrentBandwidthByMAC endpoint until a patch is available. Restrict access to the NETGEAR Genie SOAP API to minimize the risk of exploitation. Avoid using the AdvancedQoS:GetCurrentBandwidthByMAC endpoint until the issue is resolved.