10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.972 High
EPSS
Percentile
99.8%
NETGEAR WNR2000 Router is prone to multiple vulnerabilities.
# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/h:netgear:wnr2000";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.809775");
script_version("2023-07-21T05:05:22+0000");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"2023-07-21 05:05:22 +0000 (Fri, 21 Jul 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2017-09-03 01:29:00 +0000 (Sun, 03 Sep 2017)");
script_tag(name:"creation_date", value:"2016-12-30 15:20:48 +0530 (Fri, 30 Dec 2016)");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2016-10175", "CVE-2016-10176", "CVE-2016-10174");
script_tag(name:"qod_type", value:"remote_active");
script_name("NETGEAR WNR2000 Router Multiple Vulnerabilities");
script_tag(name:"summary", value:"NETGEAR WNR2000 Router is prone to multiple vulnerabilities.");
script_tag(name:"vuldetect", value:"Send a crafted request via HTTP GET and
check whether it is able to get specific information or not.");
script_tag(name:"insight", value:"Multiple flaws are due to:
- The device leaks its serial number while requesting for
'BRS_netgear_success.html'.
- Improper access control while sending request to 'apply_noauth.cgi'.
- Timestamps used in application can be easily calculated and generated outside.
- Improper handling of access to *.cgi files by HTTP server in the device (uhttpd).");
script_tag(name:"impact", value:"Successful exploitation will allow remote
attackers to gain access to potentially sensitive information, reboot router,
factory reset the router, change WLAN settings, change password recovery settings,
obtain the admin password once recovery settings are changed, execute code and
conduct denial of service attack.");
script_tag(name:"affected", value:"NETGEAR WNR2000 routers");
script_tag(name:"solution", value:"NETGEAR has released beta firmware for the affected routers, which can be obtained from the referenced vendor KB entry.");
script_xref(name:"URL", value:"http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2016/Dec/72");
script_xref(name:"URL", value:"https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2016 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_netgear_wnr2000_router_detect.nasl");
script_mandatory_keys("netgear_wnr2000/detected");
script_require_ports("Services/www", 80);
exit(0);
}
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
if(!netPort = get_app_port(cpe:CPE)){
exit(0);
}
url = "/BRS_netgear_success.html";
req = http_get(item: url, port:netPort);
rcvRes = http_keepalive_send_recv(port:netPort, data:req);
if(rcvRes =~ "^HTTP/1\.[01] 200" && "wnr2000" >< rcvRes && "netgear" >< rcvRes)
{
serial = eregmatch(pattern:'var sn="([0-9A-Za-z]+)";', string:rcvRes);
if(serial[1])
{
report = http_report_vuln_url(port:netPort, url:url);
security_message( port:netPort, data:report);
exit(0);
}
}
exit(0);
kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability
seclists.org/fulldisclosure/2016/Dec/72
raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt
www.cisa.gov/known-exploited-vulnerabilities-catalog
Known Exploited Vulnerability (KEV) catalog
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.972 High
EPSS
Percentile
99.8%