CVE-2018-21204

Vulnerability

A stack-based buffer overflow exists in the pre-authentication handler of certain NETGEAR routers and gateways. An unauthenticated attacker can trigger the overflow by sending a specially crafted packet. Affected devices include D7800 (before 1.0.1.30), R6100 (before 1.0.1.20), R7500 (before 1.0.0.118), R7500v2 (before 1.0.3.24), R7800 (before 1.0.2.40), R9000 (before 1.0.2.52), WNDR3700v4 (before 1.0.2.96), WNDR4300 (before 1.0.2.98), WNDR4300v2 (before 1.0.0.50), and WNDR4500v3 (before 1.0.0.50) [1].

Exploitation

An unauthenticated attacker with network adjacency (e.g., on the same LAN or WiFi) can exploit this vulnerability without any user interaction or prior authentication. The attacker sends a malformed packet to the device's pre-authentication interface, causing a stack buffer overflow that overwrites memory [1].

Impact

Successful exploitation allows arbitrary code execution on the device. The attacker can achieve full compromise, including the ability to modify device configuration, intercept network traffic, or pivot to other network hosts. The CVSS v3 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a high impact to confidentiality, integrity, and availability [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models. Users should upgrade to the latest firmware available from NETGEAR Support. The fixed versions are: D7800 1.0.1.30, R6100 1.0.1.20, R7500 1.0.0.118, R7500v2 1.0.3.24, R7800 1.0.2.40, R9000 1.0.2.52, WNDR3700v4 1.0.2.96, WNDR4300 1.0.2.98, WNDR4300v2 1.0.0.50, and WNDR4500v3 1.0.0.50 [1]. No workaround exists; applying the firmware update is the only mitigation.