Netgear fixes code execution flaw in many SOHO devices

Netgear addressed a code execution vulnerability, tracked as CVE-2021-34991, in its small office/home office (SOHO) devices.

Netgear addressed a pre-authentication buffer overflow issue in its small office/home office (SOHO) devices that can be exploited by an attacker on the local area network (LAN) to execute code remotely with root privileges.

The flaw, tracked as CVE-2021-34991 (CVSS score of 8.8), resides in the device’s Universal Plug-and-Play (UPnP) upnpd daemon functions related to the handling of “unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that wish to receive updates whenever the network’s UPnP configuration changes.”

The vulnerability was discovered by GRIMM researchers who also created a PoC exploit to compromise fully patched Netgear devices in the default configuration.

“This stack overflow is a traditional stack overflow that is not protected by any modern vulnerability mitigations.” reads the post published by GRIMM. “However, exploitation of this stack overflow is complicated by a few factors:

1. Prior to overflowing the stack, the buffer with the user’s input is converted to lowercase. As a result, the exploit cannot use any gadgets which contain bytes with capital letters (ASCII 0x41-0x5A).
2. The copy which overflows the stack is a string copy. As such, it will stop copying characters if it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes.

While the first limitation can be easily avoided by carefully choosing gadgets, the second limitation is much more difficult to bypass.”

Below is the list of impacted Netgear SOHO devices that includes routers, modems, and WiFi range extenders:

Vulnerable Devices
AC1450 – 1.0.0.36	D6220 – 1.0.0.72	D6300 – 1.0.0.102
D6400 – 1.0.0.104	D7000v2 – 1.0.0.66	D8500 – 1.0.3.60
DC112A – 1.0.0.56	DGN2200v4 – 1.0.0.116	DGN2200M – 1.0.0.35
DGND3700v1 – 1.0.0.17	EX3700 – 1.0.0.88	EX3800 – 1.0.0.88
EX3920 – 1.0.0.88	EX6000 – 1.0.0.44	EX6100 – 1.0.2.28
EX6120 – 1.0.0.54	EX6130 – 1.0.0.40	EX6150 – 1.0.0.46
EX6920 – 1.0.0.54	EX7000 – 1.0.1.94	MVBR1210C – 1.2.0.35BM
R4500 – 1.0.0.4	R6200 – 1.0.1.58	R6200v2 – 1.0.3.12
R6250 – 1.0.4.48	R6300 – 1.0.2.80	R6300v2 – 1.0.4.52
R6400 – 1.0.1.72	R6400v2 – 1.0.4.106	R6700 – 1.0.2.16
R6700v3 – 1.0.4.118	R6900 – 1.0.2.16	R6900P – 1.3.2.134
R7000 – 1.0.11.123	R7000P – 1.3.2.134	R7300DST – 1.0.0.74
R7850 – 1.0.5.68	R7900 – 1.0.4.38	R8000 – 1.0.4.68
R8300 – 1.0.2.144	R8500 – 1.0.2.136	RS400 – 1.5.0.68
WGR614v9 – 1.2.32	WGT624v4 – 2.0.13	WNDR3300v1 – 1.0.45
WNDR3300v2 – 1.0.0.26	WNDR3400v1 – 1.0.0.52	WNDR3400v2 – 1.0.0.54
WNDR3400v3 – 1.0.1.38	WNDR3700v3 – 1.0.0.42	WNDR4000 – 1.0.2.10
WNDR4500 – 1.0.1.46	WNDR4500v2 – 1.0.0.72	WNR834Bv2 – 2.1.13
WNR1000v3 – 1.0.2.78	WNR2000v2 – 1.2.0.12	WNR3500 – 1.0.36NA
WNR3500v2 – 1.2.2.28NA	WNR3500L – 1.2.2.48NA	WNR3500Lv2 – 1.2.0.66
XR300 – 1.0.3.56

Netgear released security patches that fix the vulnerability in multiple devices and announced that it is testing additional firmware fixes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

[adrotate banner=”5″]

[adrotate banner=”13″]