CVE-2017-18788

Vulnerability

A post-authentication command injection vulnerability exists in the web interface of numerous NETGEAR routers, gateways, and extenders. An authenticated user can inject arbitrary operating system commands through a vulnerable parameter. Affected models include D3600 (before 1.0.0.67), D6000 (before 1.0.0.67), D6100 (before 1.0.0.56), D6200 (before 1.1.00.24), D6220 (before 1.0.0.32), D6400 (before 1.0.0.66), D7000 (before 1.0.1.52), D7000v2 (before 1.0.0.44), D7800 (before 1.0.1.30), D8500 (before 1.0.3.35), DGN2200v4 (before 1.0.0.96), DGN2200Bv4 (before 1.0.0.96), EX2700 (before 1.0.1.28), EX6150v2 (before 1.0.1.54), EX6100v2 (before 1.0.1.54), EX6200v2 (before 1.0.1.52), EX6400 (before 1.0.1.72), EX7300 (before 1.0.1.72), EX8000 (before 1.0.0.102), JNR1010v2 (before 1.1.0.44), JWNR2010v5 (before 1.1.0.44), PR2000 (before 1.0.0.20), R6100 (before 1.0.1.20), R6250 (before 1.0.4.16), R6300v2 (before 1.0.4.18), R6400 (before 1.0.1.32), R6400v2 (before 1.0.2.46), R6700 (before 1.0.1.36), R6900 (before 1.0.1.34), R7000 (before 1.0.9.18), R6900P (before 1.3.0.8), R7000P (before 1.3.0.8), R7100LG (before 1.0.0.34), R7300DST (before 1.0.0.58), R7500 (before 1.0.0.118), R7500v2 (before 1.0.3.24), R7800 (before 1.0.2.40), R7900 (before 1.0.2.4), R8000 (before 1.0.4.4_1.1.42), R7900P (before 1.1.5.14), R8000P (before 1.1.5.14), R8300 (before 1.0.2.110), R8500 (before 1.0.2.110), R9000 (before 1.0.2.52), WN2000RPTv3 (before 1.0.1.14), WN3000RPv3 (before 1.0.2.50), WN3100RPv2 (before 1.0.0.40), WNDR3400v3 (before 1.0.1.16), WNDR3700v4 (before 1.0.2.94), WNDR4300 (before 1.0.2.96), WNDR4300v2 (before 1.0.0.50), WNDR4500v3 (before 1.0.0.50), WNR1000v4 (before 1.1.0.44), WNR2000v5 (before 1.0.0.62), WNR2020 (before 1.1.0.44), WNR2050 (before 1.1.0.44), and WNR3500Lv2 (before 1.2.0.46). [1]

Exploitation

An attacker must first authenticate to the device's web interface with valid credentials. Once authenticated, the attacker can send a specially crafted HTTP request to a vulnerable endpoint, injecting operating system commands into a parameter that is not properly sanitized. The injected commands are then executed with root privileges on the device. No user interaction beyond the initial authentication is required. [1]

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary commands as the root user on the affected device. This can lead to full compromise of the device, including unauthorized access to network traffic, modification of device configuration, installation of malware, and use of the device as a pivot point for further attacks on the local network. [1]

Mitigation

NETGEAR has released firmware updates for all affected models. Users should update to the fixed versions listed in the advisory [1]. For example, D3600 and D6000 should be updated to 1.0.0.67 or later, D6100 to 1.0.0.56 or later, and so on. No workarounds are provided. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.