Netgear addressed a pre-authentication buffer overflow issue in its small office/home office (SOHO) devices that can be exploited by an attacker on the local area network (LAN) to execute code remotely with root privileges.
The flaw, tracked as CVE-2021-34991 (CVSS score of 8.8), resides in the device’s Universal Plug-and-Play (UPnP) upnpd daemon functions related to the handling of “unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that wish to receive updates whenever the network’s UPnP configuration changes.”
The vulnerability was discovered by GRIMM researchers who also created a PoC exploit to compromise fully patched Netgear devices in the default configuration.
“This stack overflow is a traditional stack overflow that is not protected by any modern vulnerability mitigations.” reads the post published by GRIMM. “However, exploitation of this stack overflow is complicated by a few factors:
While the first limitation can be easily avoided by carefully choosing gadgets, the second limitation is much more difficult to bypass.”
Below is the list of impacted Netgear SOHO devices that includes routers, modems, and WiFi range extenders:
Vulnerable Devices | ||
---|---|---|
AC1450 – 1.0.0.36 | D6220 – 1.0.0.72 | D6300 – 1.0.0.102 |
D6400 – 1.0.0.104 | D7000v2 – 1.0.0.66 | D8500 – 1.0.3.60 |
DC112A – 1.0.0.56 | DGN2200v4 – 1.0.0.116 | DGN2200M – 1.0.0.35 |
DGND3700v1 – 1.0.0.17 | EX3700 – 1.0.0.88 | EX3800 – 1.0.0.88 |
EX3920 – 1.0.0.88 | EX6000 – 1.0.0.44 | EX6100 – 1.0.2.28 |
EX6120 – 1.0.0.54 | EX6130 – 1.0.0.40 | EX6150 – 1.0.0.46 |
EX6920 – 1.0.0.54 | EX7000 – 1.0.1.94 | MVBR1210C – 1.2.0.35BM |
R4500 – 1.0.0.4 | R6200 – 1.0.1.58 | R6200v2 – 1.0.3.12 |
R6250 – 1.0.4.48 | R6300 – 1.0.2.80 | R6300v2 – 1.0.4.52 |
R6400 – 1.0.1.72 | R6400v2 – 1.0.4.106 | R6700 – 1.0.2.16 |
R6700v3 – 1.0.4.118 | R6900 – 1.0.2.16 | R6900P – 1.3.2.134 |
R7000 – 1.0.11.123 | R7000P – 1.3.2.134 | R7300DST – 1.0.0.74 |
R7850 – 1.0.5.68 | R7900 – 1.0.4.38 | R8000 – 1.0.4.68 |
R8300 – 1.0.2.144 | R8500 – 1.0.2.136 | RS400 – 1.5.0.68 |
WGR614v9 – 1.2.32 | WGT624v4 – 2.0.13 | WNDR3300v1 – 1.0.45 |
WNDR3300v2 – 1.0.0.26 | WNDR3400v1 – 1.0.0.52 | WNDR3400v2 – 1.0.0.54 |
WNDR3400v3 – 1.0.1.38 | WNDR3700v3 – 1.0.0.42 | WNDR4000 – 1.0.2.10 |
WNDR4500 – 1.0.1.46 | WNDR4500v2 – 1.0.0.72 | WNR834Bv2 – 2.1.13 |
WNR1000v3 – 1.0.2.78 | WNR2000v2 – 1.2.0.12 | WNR3500 – 1.0.36NA |
WNR3500v2 – 1.2.2.28NA | WNR3500L – 1.2.2.48NA | WNR3500Lv2 – 1.2.0.66 |
XR300 – 1.0.3.56 |
Netgear released security patches that fix the vulnerability in multiple devices and announced that it is testing additional firmware fixes.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Netgear)
[adrotate banner=”5″]
[adrotate banner=”13″]