SB2018020907 - Multiple vulnerabilities in NETGEAR Touters
Published: February 9, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the genie_restoring.cgi script, provided by the box's built-in web server. An adjacent attacker can abuse the vulnerable script and extract files and passwords from its filesystem in flash storage or pull files from USB sticks plugged into the router.
2) OS command injection (CVE-ID: N/A)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an local root-privileged attacker to execute shell commands on the target system.
The weakness exists due to post-authentication command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Authentication bypass (CVE-ID: N/A)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to bypass authentication on the target system.
The weakness exists due to improper privileges and access controls. A local attacker can bypass authentication if "&genie=1" is found within the query string.
4) OS command injection (CVE-ID: N/A)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an local attacker to execute shell commands on the target system.
The weakness exists due to command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) OS command injection (CVE-ID: N/A)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an local root-privileged attacker to execute shell commands on the target system.
The weakness exists due to post-authentication command injection. A local attacker can inject and execute arbitrary commands with root privileges during short time window when WPS is activated.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.
References
- https://kb.netgear.com/000045848/Security-Advisory-for-Password-Recovery-and-File-Access-on-Some-Rou...
- https://kb.netgear.com/000045850/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-Modem-Routers-PSV-2017-1207
- https://kb.netgear.com/000048998/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-or-Mode...
- https://kb.netgear.com/000048999/Security-Advisory-for-Command-Injection-on-Some-Routers-and-Modem-R...
- https://kb.netgear.com/000049354/Security-Advisory-for-Command-Injection-Vulnerability-on-D7000-EX6200v2-and-Some-Routers-PSV-2017-2181