CVE-2017-18789

Vulnerability

This vulnerability affects multiple NETGEAR devices: R6250 before V1.0.4.8, R6400 before V1.0.1.22, R6400v2 before V1.0.2.32, R7100LG before V1.0.0.32, R7300 before V1.0.0.52, R8300 before V1.0.2.94, R8500 before V1.0.2.100, D6220 before V1.0.0.28, D6400 before V1.0.0.60, and D8500 before V1.0.3.29 [1]. The bug is a sensitive information disclosure flaw that can be triggered from the local network side without authentication.

Exploitation

An attacker with physical or local network access to the device can exploit this vulnerability. No authentication is required, and no user interaction is needed [1]. The CVSSv3 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates a low complexity attack that does not require privileges or user interaction [1].

Impact

Successful exploitation results in the disclosure of sensitive information (confidentiality impact is high) [1]. No integrity or availability impact is reported. The attacker does not gain any additional privileges beyond reading the leaked data.

Mitigation

NETGEAR has released fixed firmware versions for all affected models: R6250 V1.0.4.8, R6400 V1.0.1.22, R6400v2 V1.0.2.32, R7100LG V1.0.0.32, R7300 V1.0.0.52, R8300 V1.0.2.94, R8500 V1.0.2.100, D6220 V1.0.0.28, D6400 V1.0.0.60, and D8500 V1.0.3.29 [1]. Users should update to the latest firmware as soon as possible. No workarounds are provided by the vendor.