Lucene search

ZdiCVELIST:CVE-2021-27239

HistoryMar 29, 2021 - 9:05 p.m.

CVE-2021-27239

2021-03-2921:05:29

CWE-121

zdi

www.cve.org

network-adjacent attackers

execute arbitrary code

netgear r6400

netgear r6700

authentication not required

upnpd service

udp port 1900

crafted mx header

ssdp message

stack-based buffer overflow

root context

zdi-can-11851

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.4%

JSON

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400 and R6700 firmware version 1.0.4.98 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upnpd service, which listens on UDP port 1900 by default. A crafted MX header field in an SSDP message can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11851.

CNA Affected

[
  {
    "product": "Multiple Routers",
    "vendor": "NETGEAR",
    "versions": [
      {
        "status": "affected",
        "version": "firmware version 1.0.4.98"
      }
    ]
  }
]

References

kb.netgear.com/000062820/Security-Advisory-for-Stack-based-Buffer-Overflow-Remote-Code-Execution-Vulnerability-on-Some-Routers-PSV-2020-0432

www.zerodayinitiative.com/advisories/ZDI-21-206/

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.4%

JSON

Related for CVELIST:CVE-2021-27239