CVE-2017-18856

Vulnerability

CVE-2017-18856 is an operating system (OS) command injection vulnerability in NETGEAR ReadyNAS OS 6 storage systems running firmware version 6.6.1 or earlier [1]. The vulnerability resides in a component accessible to authenticated administrators on the local area network. An attacker with administrator credentials can inject arbitrary OS commands [1].

Exploitation

To exploit this vulnerability, an attacker must have local area network access to the ReadyNAS device and possess the device's administrator credentials [1]. The attacker then sends crafted input that the vulnerable component passes to the operating system without proper sanitization, resulting in execution of the injected commands [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with the privileges of the affected process [1]. This can lead to full compromise of confidentiality, integrity, and availability (CIA) of the storage system, including unauthorized data access, modification, and denial of service [1].

Mitigation

NETGEAR has fixed this vulnerability in ReadyNAS OS version 6.6.2 and later [1]. All affected users should update their ReadyNAS OS 6 storage systems to firmware version 6.6.2 or later to protect against exploitation [1]. No workarounds are available; updating the firmware is the only mitigation [1].