CVE-2018-21218

Vulnerability

A buffer overflow vulnerability exists in the pre-authentication web server process of multiple NETGEAR routers and gateways [1]. An unauthenticated attacker can trigger the overflow by sending a specially crafted request. The following models and firmware versions are affected: D3600 < 1.0.0.67, D6000 < 1.0.0.67, D6100 < 1.0.0.56, D7800 < 1.0.1.30, R6100 < 1.0.1.20, R7500 < 1.0.0.118, R7500v2 < 1.0.3.24, R9000 < 1.0.2.52, WNDR3700v4 < 1.0.2.96, WNDR4300 < 1.0.2.98, WNDR4300v2 < 1.0.0.50, WNDR4500v3 < 1.0.0.50, and WNR2000v5 < 1.0.0.62 [1].

Exploitation

The attacker can exploit this vulnerability without any authentication or user interaction, as long as they have network access to the vulnerable device (adjacent network) [1]. The CVSS vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms these requirements. An attacker can send a malicious HTTP request that overflows a buffer in the pre-authentication handler, leading to arbitrary code execution.

Impact

Successful exploitation results in arbitrary code execution with high privileges on the affected device, allowing the attacker to potentially gain full control of the device, intercept network traffic, and pivot to other network resources. The impact is considered high for confidentiality, integrity, and availability.

Mitigation

NETGEAR has released firmware updates to fix the vulnerability for all affected models. Users should update to the patched versions listed in the Vulnerability section [1]. No workarounds are provided. The advisory strongly recommends immediate installation of the latest firmware.