Lucene search

[email protected]CVE-2021-27257

HistoryMar 05, 2021 - 8:15 p.m.

CVE-2021-27257

2021-03-0520:15:00

CWE-295

[email protected]

web.nvd.nist.gov

cve-2021-27257

netgear

r7800

firmware

ftp

certificate validation

vulnerability

zdi-can-12362

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.4 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

47.2%

JSON

This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via FTP. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-12362.

CPENameOperatorVersion
netgear:br200_firmwarenetgear br200 firmwarelt5.10.0.5
netgear:br500_firmwarenetgear br500 firmwarelt5.10.0.5
netgear:d7800_firmwarenetgear d7800 firmwarelt1.0.1.60
netgear:ex6100v2_firmwarenetgear ex6100v2 firmwarelt1.0.1.98
netgear:ex6150v2_firmwarenetgear ex6150v2 firmwarelt1.0.1.98
netgear:ex6250_firmwarenetgear ex6250 firmwarelt1.0.0.134
netgear:ex6400_firmwarenetgear ex6400 firmwarelt1.0.2.158
netgear:ex6400v2_firmwarenetgear ex6400v2 firmwarelt1.0.0.134
netgear:ex6410_firmwarenetgear ex6410 firmwarelt1.0.0.134
netgear:ex6420_firmwarenetgear ex6420 firmwarelt1.0.0.134

CPE	Name	Operator	Version
netgear:br200_firmware	netgear br200 firmware	lt	5.10.0.5
netgear:br500_firmware	netgear br500 firmware	lt	5.10.0.5
netgear:d7800_firmware	netgear d7800 firmware	lt	1.0.1.60
netgear:ex6100v2_firmware	netgear ex6100v2 firmware	lt	1.0.1.98
netgear:ex6150v2_firmware	netgear ex6150v2 firmware	lt	1.0.1.98
netgear:ex6250_firmware	netgear ex6250 firmware	lt	1.0.0.134
netgear:ex6400_firmware	netgear ex6400 firmware	lt	1.0.2.158
netgear:ex6400v2_firmware	netgear ex6400v2 firmware	lt	1.0.0.134
netgear:ex6410_firmware	netgear ex6410 firmware	lt	1.0.0.134
netgear:ex6420_firmware	netgear ex6420 firmware	lt	1.0.0.134

Rows per page:

1-10 of 431

References

kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Satellites-and-Extenders

www.zerodayinitiative.com/advisories/ZDI-21-264/

Social References

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.4 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

47.2%

JSON

Related for CVE-2021-27257

zdi1 prion1