Cybersecurity specialists reported the finding of a critical vulnerability in multiple router models of the technology company Netgear. According to the report, successful exploitation of this flaw will allow threat actors to execute arbitrary code on compromised devices.
Below is a detailed report of the reported flaw, in addition to its CVE tracking key and severity score according to the Common Vulnerability Scoring System (CVSS).
Tracked as CVE-2021-27239, this security flaw exists due to a boundary error in the upnpd service of the compromised routers. Unauthenticated remote threat actors on the local network can use a specially designed MX header field in an SSDP message to trigger a stack-based buffer overflow, leading to arbitrary code execution on the target system.
The flaw received a CVSS score of 7.7/10 and its successful exploitation would allow full commitment of the target system, so cybersecurity experts recommend following the recommendations related to this report to the letter.
The following is a list of vulnerable software deployments:
- D6220: prior to 1.0.0.68
- XR300: prior to 1.0.3.56
- WNR3500Lv2: prior to 1.2.0.66
- WNDR3400v3: prior to 1.0.1.38
- RS400: pre-1.5.0.68_hotfix
- RBS850: prior to 3.2.17.12
- RBS750: prior to 3.2.17.12
- RBS40V: prior to 2.6.2.4
- RBR850: prior to 3.2.17.12
- RBR750: prior to 3.2.17.12
- RAX80: prior to 1.0.3.102
- RAX75: prior to 1.0.3.102
- RAX200: prior to 1.0.2.88
- R8500: prior to 1.0.2.144
- R8300: prior to 1.0.2.144
- R8000P: prior to 1.4.1.68
- R8000: prior to 1.0.4.68
- R7960P: prior to 1.4.1.68
- R7900P: prior to 1.4.1.68
- R7900: prior to 1.0.4.38
- R7850: prior to 1.0.5.68
- R7100LG: prior to 1.0.0.64
- R7000P: prior to 1.3.2.132
- R7000: prior to 1.0.11.116
- R6900P: prior to 1.3.2.132
- R6700v3: prior to 1.0.4.102
- R6400v2: prior to 1.0.4.102
- R6400: prior to 1.0.1.68
- R6300v2: prior to 1.0.4.50
- R6250: prior to 1.0.4.48
- EX7500: prior to 1.0.0.72
- EX7000: prior to 1.0.1.94
- DC112A: prior to 1.0.0.54
- D8500: prior to 1.0.3.60
- D6400: prior to 1.0.0.102
- D7000v2: prior to 1.0.0.66
While this flaw can be exploited by unauthenticated remote threat actors over the local network, cybersecurity experts have not reported attempts at active exploitation or malware variants associated with the attack.
The vulnerability has already been fixed, so users of affected deployments are advised to update as soon as possible. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.
