CVE-2018-21113

Vulnerability

A pre-authentication command injection vulnerability exists in the web interface of multiple NETGEAR router and modem-router models. The flaw allows an unauthenticated attacker to inject arbitrary operating system commands via a crafted request. Affected models include D6100 (firmware before 1.0.0.58), D7800 (before 1.0.1.42), R6100 (before 1.0.1.28), R7500 (before 1.0.0.130), R7500v2 (before 1.0.3.36), R7800 (before 1.0.2.52), R8900 (before 1.0.4.12), R9000 (before 1.0.4.12), WNDR3700v4 (before 1.0.2.102), WNDR4300 (before 1.0.2.104), WNDR4300v2 (before 1.0.0.56), and WNDR4500v3 (before 1.0.0.56). [1]

Exploitation

An unauthenticated attacker with network access to the device's web management interface can exploit this vulnerability by sending a specially crafted HTTP request that includes injected commands. No user interaction or prior authentication is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the device with root privileges. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the device in a botnet. [1]

Mitigation

NETGEAR has released firmware updates to address this vulnerability. Users should upgrade to the following fixed versions: D6100 1.0.0.58, D7800 1.0.1.42, R6100 1.0.1.28, R7500 1.0.0.130, R7500v2 1.0.3.36, R7800 1.0.2.52, R8900 1.0.4.12, R9000 1.0.4.12, WNDR3700v4 1.0.2.102, WNDR4300 1.0.2.104, WNDR4300v2 1.0.0.56, and WNDR4500v3 1.0.0.56. No workarounds are provided; updating firmware is the only mitigation. [1]