Denial of service in NETGEAR Routers and WiFi Systems

Published: 2023-01-02

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	N/A
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	CAX80 Hardware solutions / Routers & switches, VoIP, GSM, etc RAXE450 Hardware solutions / Routers & switches, VoIP, GSM, etc RAXE500 Hardware solutions / Routers & switches, VoIP, GSM, etc EX6120 Hardware solutions / Routers & switches, VoIP, GSM, etc EX6130 Hardware solutions / Routers & switches, VoIP, GSM, etc MK62 Hardware solutions / Routers & switches, VoIP, GSM, etc MR60 Hardware solutions / Routers & switches, VoIP, GSM, etc MS60 Hardware solutions / Routers & switches, VoIP, GSM, etc R6700v3 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX45 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX50 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX43 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX40v2 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX38v2 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX35v2 Hardware solutions / Routers & switches, VoIP, GSM, etc LAX20 Hardware solutions / Routers & switches, VoIP, GSM, etc MK83 Hardware solutions / Routers & switches, VoIP, GSM, etc MR80 Hardware solutions / Routers & switches, VoIP, GSM, etc MS80 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX75 Hardware solutions / Routers & switches, VoIP, GSM, etc RAX80 Hardware solutions / Routers & switches, VoIP, GSM, etc R6400v2 Hardware solutions / Routers for home users R7000 Hardware solutions / Routers for home users R7000P Hardware solutions / Routers for home users R6900P Hardware solutions / Routers for home users XR1000 Hardware solutions / Routers for home users
Vendor

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU70563

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CAX80: before 2.1.4.2

RAXE450: before 1.0.8.70

RAXE500: before 1.0.8.70

EX6120: before 1.0.0.66

EX6130: before 1.0.0.46

MK62: before 1.1.6.122

MR60: before 1.1.6.122

MS60: before 1.1.6.122

R6400v2: before 1.0.4.122

R6700v3: before 1.0.4.122

RAX45: before 1.0.5.106

RAX50: before 1.0.5.106

RAX43: before 1.0.5.106

RAX40v2: before 1.0.5.106

RAX38v2: before 1.0.5.106

RAX35v2: before 1.0.5.106

R7000: before 1.0.11.130

LAX20: before 1.1.6.34

MK83: before 1.1.6.14

MR80: before 1.1.6.14

MS80: before 1.1.6.14

R7000P: before 1.3.3.148

R6900P: before 1.3.3.148

XR1000: before 1.0.0.64

RAX75: before 1.0.6.138

RAX80: before 1.0.6.138

External links

http://kb.netgear.com/000065490/Security-Advisory-for-Denial-of-Service-on-Some-Routers-and-WiFi-Systems-PSV-2021-0189

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.