Netgear fixes code execution flaw in many SOHO devices

Netgear addressed a code execution vulnerability, tracked as CVE-2021-34991, in its small office/home office (SOHO) devices.

Netgear addressed a pre-authentication buffer overflow issue in its small office/home office (SOHO) devices that can be exploited by an attacker on the local area network (LAN) to execute code remotely with root privileges.

The flaw, tracked as CVE-2021-34991 (CVSS score of 8.8), resides in the device’s Universal Plug-and-Play (UPnP) upnpd daemon functions related to the handling of “unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that wish to receive updates whenever the network’s UPnP configuration changes.”

The vulnerability was discovered by GRIMM researchers who also created a PoC exploit to compromise fully patched Netgear devices in the default configuration.

“This stack overflow is a traditional stack overflow that is not protected by any modern vulnerability mitigations.” reads the post published by GRIMM. “However, exploitation of this stack overflow is complicated by a few factors:

  1. Prior to overflowing the stack, the buffer with the user’s input is converted to lowercase. As a result, the exploit cannot use any gadgets which contain bytes with capital letters (ASCII 0x41-0x5A).
  2. The copy which overflows the stack is a string copy. As such, it will stop copying characters if it encounters a NULL character. Thus, the exploit cannot include gadgets with NULL bytes.

While the first limitation can be easily avoided by carefully choosing gadgets, the second limitation is much more difficult to bypass.”

Below is the list of impacted Netgear SOHO devices that includes routers, modems, and WiFi range extenders:

Vulnerable Devices
AC1450 – 1.0.0.36 D6220 – 1.0.0.72 D6300 – 1.0.0.102
D6400 – 1.0.0.104 D7000v2 – 1.0.0.66 D8500 – 1.0.3.60
DC112A – 1.0.0.56 DGN2200v4 – 1.0.0.116 DGN2200M – 1.0.0.35
DGND3700v1 – 1.0.0.17 EX3700 – 1.0.0.88 EX3800 – 1.0.0.88
EX3920 – 1.0.0.88 EX6000 – 1.0.0.44 EX6100 – 1.0.2.28
EX6120 – 1.0.0.54 EX6130 – 1.0.0.40 EX6150 – 1.0.0.46
EX6920 – 1.0.0.54 EX7000 – 1.0.1.94 MVBR1210C – 1.2.0.35BM
R4500 – 1.0.0.4 R6200 – 1.0.1.58 R6200v2 – 1.0.3.12
R6250 – 1.0.4.48 R6300 – 1.0.2.80 R6300v2 – 1.0.4.52
R6400 – 1.0.1.72 R6400v2 – 1.0.4.106 R6700 – 1.0.2.16
R6700v3 – 1.0.4.118 R6900 – 1.0.2.16 R6900P – 1.3.2.134
R7000 – 1.0.11.123 R7000P – 1.3.2.134 R7300DST – 1.0.0.74
R7850 – 1.0.5.68 R7900 – 1.0.4.38 R8000 – 1.0.4.68
R8300 – 1.0.2.144 R8500 – 1.0.2.136 RS400 – 1.5.0.68
WGR614v9 – 1.2.32 WGT624v4 – 2.0.13 WNDR3300v1 – 1.0.45
WNDR3300v2 – 1.0.0.26 WNDR3400v1 – 1.0.0.52 WNDR3400v2 – 1.0.0.54
WNDR3400v3 – 1.0.1.38 WNDR3700v3 – 1.0.0.42 WNDR4000 – 1.0.2.10
WNDR4500 – 1.0.1.46 WNDR4500v2 – 1.0.0.72 WNR834Bv2 – 2.1.13
WNR1000v3 – 1.0.2.78 WNR2000v2 – 1.2.0.12 WNR3500 – 1.0.36NA
WNR3500v2 – 1.2.2.28NA WNR3500L – 1.2.2.48NA WNR3500Lv2 – 1.2.0.66
XR300 – 1.0.3.56

Netgear released security patches that fix the vulnerability in multiple devices and announced that it is testing additional firmware fixes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

The post Netgear fixes code execution flaw in many SOHO devices appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source