CVE-2018-21223

Vulnerability

A pre-authentication buffer overflow vulnerability exists in several NETGEAR router and gateway models. The affected devices include D3600 (before 1.0.0.67), D6000 (before 1.0.0.67), D7800 (before 1.0.1.30), R6100 (before 1.0.1.20), R7500 (before 1.0.0.118), R7500v2 (before 1.0.3.24), R9000 (before 1.0.2.52), WNDR3700v4 (before 1.0.2.96), WNDR4300 (before 1.0.2.98), WNDR4300v2 (before 1.0.0.50), WNDR4500v3 (before 1.0.0.50), and WNR2000v5 (before 1.0.0.62). An unauthenticated attacker can trigger the overflow by sending a specially crafted packet to the device, without requiring any authentication or user interaction.

Exploitation

An attacker with network access to the affected device (adjacent network, as per CVSS vector) can send a crafted packet that exploits the buffer overflow. No authentication is required, and no user interaction is needed. The vulnerability is triggered during the handling of incoming traffic before any authentication checks occur.

Impact

Successful exploitation can lead to a denial of service (device crash) or potentially allow arbitrary code execution. Given the CVSS v3 score of 8.8 (High), the impact on confidentiality, integrity, and availability is considered high. An attacker could gain full control of the device.

Mitigation

NETGEAR has released firmware updates that fix this vulnerability. Users should update their devices to the following firmware versions or later: D3600 and D6000 to 1.0.0.67, D7800 to 1.0.1.30, R6100 to 1.0.1.20, R7500 to 1.0.0.118, R7500v2 to 1.0.3.24, R9000 to 1.0.2.52, WNDR3700v4 to 1.0.2.96, WNDR4300 to 1.0.2.98, WNDR4300v2 to 1.0.0.50, WNDR4500v3 to 1.0.0.50, and WNR2000v5 to 1.0.0.62. No workaround is available; installing the firmware is the only mitigation. The vulnerability is not known to be in CISA's KEV as of publication.

[1] https://kb.netgear.com/000055114/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Some-Routers-and-Gateways-PSV-2017-2457