Netgear fixes code execution flaw in many SOHO devices

Netgear addressed a code execution vulnerability, tracked as CVE-2021-34991, in its small office/home office (SOHO) devices.

Netgear addressed a pre-authentication buffer overflow issue in its small office/home office (SOHO) devices that can be exploited by an attacker on the local area network (LAN) to execute code remotely with root privileges.

The flaw, tracked as CVE-2021-34991 (CVSS score of 8.8), resides in the device’s Universal Plug-and-Play (UPnP) upnpd daemon functions related to the handling of “unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that wish to receive updates whenever the network’s UPnP configuration changes.”

The vulnerability was discovered by GRIMM researchers who also created a PoC exploit to compromise fully patched Netgear devices in the default configuration.

“This stack overflow is a traditional stack overflow that is not protected by any modern vulnerability mitigations.” reads the post published by GRIMM. “However, exploitation of this stack overflow is complicated by a few factors:

Prior to overflowing the stack, the buffer with the user’s input is converted to lowercase. As a result, the exploit cannot use any gadgets which contain bytes with capital letters (ASCII 0x41-0x5A).The copy which overflows the stack is a string copy. As such, it will stop copying characters if it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes.

While the first limitation can be easily avoided by carefully choosing gadgets, the second limitation is much more difficult to bypass.”

Below is the list of impacted Netgear SOHO devices that includes routers, modems, and WiFi range extenders:

Vulnerable DevicesAC1450 – 1.0.0.36D6220 – 1.0.0.72D6300 – 1.0.0.102D6400 – 1.0.0.104D7000v2 – 1.0.0.66D8500 – 1.0.3.60DC112A – 1.0.0.56DGN2200v4 – 1.0.0.116DGN2200M – 1.0.0.35DGND3700v1 – 1.0.0.17EX3700 – 1.0.0.88EX3800 – 1.0.0.88EX3920 – 1.0.0.88EX6000 – 1.0.0.44EX6100 – 1.0.2.28EX6120 – 1.0.0.54EX6130 – 1.0.0.40EX6150 – 1.0.0.46EX6920 – 1.0.0.54EX7000 – 1.0.1.94MVBR1210C – 1.2.0.35BMR4500 – 1.0.0.4R6200 – 1.0.1.58R6200v2 – 1.0.3.12R6250 – 1.0.4.48R6300 – 1.0.2.80R6300v2 – 1.0.4.52R6400 – 1.0.1.72R6400v2 – 1.0.4.106R6700 – 1.0.2.16R6700v3 – 1.0.4.118R6900 – 1.0.2.16R6900P – 1.3.2.134R7000 – 1.0.11.123R7000P – 1.3.2.134R7300DST – 1.0.0.74R7850 – 1.0.5.68R7900 – 1.0.4.38R8000 – 1.0.4.68R8300 – 1.0.2.144R8500 – 1.0.2.136RS400 – 1.5.0.68WGR614v9 – 1.2.32WGT624v4 – 2.0.13WNDR3300v1 – 1.0.45WNDR3300v2 – 1.0.0.26WNDR3400v1 – 1.0.0.52WNDR3400v2 – 1.0.0.54WNDR3400v3 – 1.0.1.38WNDR3700v3 – 1.0.0.42WNDR4000 – 1.0.2.10WNDR4500 – 1.0.1.46WNDR4500v2 – 1.0.0.72WNR834Bv2 – 2.1.13WNR1000v3 – 1.0.2.78WNR2000v2 – 1.2.0.12WNR3500 – 1.0.36NAWNR3500v2 – 1.2.2.28NAWNR3500L – 1.2.2.48NAWNR3500Lv2 – 1.2.0.66XR300 – 1.0.3.56

Netgear released security patches that fix the vulnerability in multiple devices and announced that it is testing additional firmware fixes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

The post Netgear fixes code execution flaw in many SOHO devices appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt