CVE-2018-21138

Vulnerability

A security misconfiguration exists in NETGEAR D3600 and D6000 modem routers running firmware versions prior to 1.0.0.76. The exact nature of the misconfiguration is not detailed in the advisory, but it affects the device's security settings, potentially exposing services or interfaces that should be restricted [1].

Exploitation

An attacker on the same adjacent network (AV:A) can exploit this vulnerability without authentication (PR:N) and without user interaction (UI:N). The low attack complexity (AC:L) suggests that no special conditions or race windows are required. The attacker can send crafted requests to the vulnerable device to trigger the misconfiguration [1].

Impact

Successful exploitation leads to high confidentiality, integrity, and availability impact (C:H/I:H/A:H). An attacker could gain full control over the device, read sensitive information, modify settings, or disrupt service. The scope is unchanged (S:U), meaning the compromise is limited to the affected device [1].

Mitigation

NETGEAR has released firmware version 1.0.0.76 for both D3600 and D6000 to address this vulnerability. Users should download and install the latest firmware from NETGEAR Support as soon as possible. No workarounds are provided; upgrading is the only mitigation [1].