CVE-2018-21207

Vulnerability

A stack-based buffer overflow exists in certain NETGEAR routers, gateways, and extenders before specific firmware versions [1]. The vulnerability is triggered pre-authentication, meaning no credentials are required. Affected models include D3600 (before 1.0.0.67), D6000 (before 1.0.0.67), D7800 (before 1.0.1.30), EX2700 (before 1.0.1.28), R6100 (before 1.0.1.20), R7500 (before 1.0.0.118), R7500v2 (before 1.0.3.24), R7800 (before 1.0.2.40), R9000 (before 1.0.2.52), WN2000RPTv3 (before 1.0.1.20), WN3000RPv3 (before 1.0.2.50), WN3100RPv2 (before 1.0.0.56), WNDR3700v4 (before 1.0.2.96), WNDR4300 (before 1.0.2.98), WNDR4300v2 (before 1.0.0.50), and WNDR4500v3 (before 1.0.0.50) [1].

Exploitation

An unauthenticated attacker on the same network or potentially from the WAN can send specially crafted packets to trigger the stack overflow. No user interaction or authentication is required. The exact protocol or service handling the request is not specified in the reference, but the advisory confirms pre-authentication access [1].

Impact

Successful exploitation allows an attacker to cause a denial of service or potentially execute arbitrary code on the device. Since the buffer overflow occurs pre-authentication, the attacker gains full control over the affected device [1].

Mitigation

NETGEAR has released firmware updates to fix the vulnerability. Users should update to the latest firmware for their device as listed in the advisory [1]. The fixed versions are: D3600 1.0.0.67, D6000 1.0.0.67, D7800 1.0.1.30, EX2700 1.0.1.28, R6100 1.0.1.20, R7500 1.0.0.118, R7500v2 1.0.3.24, R7800 1.0.2.40, R9000 1.0.2.52, WN2000RPTv3 1.0.1.20, WN3000RPv3 1.0.2.50, WN3100RPv2 1.0.0.56, WNDR3700v4 1.0.2.96, WNDR4300 1.0.2.98, WNDR4300v2 1.0.0.50, and WNDR4500v3 1.0.0.50 [1]. No workaround is provided.