Researchers at security and compliance assessment firm Onekey warns of an arbitrary code execution via FunJSQ, which is a third-party module developed by Xiamen Xunwang Network Technology for online game acceleration, that impacts multiple Netgear router models.
The FunJSQ module is used in various Netgear routers and Orbi WiFi systems, the issues affecting it were discovered in May 2022 and are now fixed. The analysis of various firmware allowed the researchers to discover the presence of the flawed module in NETGEAR devices (R9000, R7800, RAX200, RAX120, R6230, R6260, RAX40) and some Orbi WiFi Systems (RBR20, RBS20, RBR50, RBS50).
Basically the overall update process relies on unsigned packages that are validated on the device using a hash checksum only. Experts also discovered that the module doesn’t rely on secure communication for the update process, which means that an attacker can tamper with the update packages.
The issue related to the insecure update mechanism was tracked as CVE-2022-40620, while the unauthenticated command injection flaw was tracked as CVE-2022-40619.
“All of these combined can lead to arbitrary code execution from the WAN interface.” reads the analysis published by Onekey.