OS command injection in NETGEAR products - #VU10434
Published: February 9, 2018
Vulnerability identifier: #VU10434
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: NETGEAR
Affected software:
D8500
R6100
R6400v2
R6400
R8300
R8500
D8500
R6100
R6400v2
R6400
R8300
R8500
Detailed vulnerability description
The vulnerability allows an local root-privileged attacker to execute shell commands on the target system.
The weakness exists due to post-authentication command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to post-authentication command injection. A local attacker can use the device_name parameter on the lan.cgi page to inject and execute arbitrary commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to the latest version.