CVE-2018-21228

Vulnerability

A post-authentication command injection vulnerability exists in the firmware of multiple NETGEAR routers, gateways, and extenders. The flaw resides in the web management interface and can be triggered by an authenticated user. Affected models include D7800 (before 1.0.1.34), EX6100v2 (before 1.0.1.50), EX6150v2 (before 1.0.1.50), EX6200v2 (before 1.0.1.44), EX6400 (before 1.0.1.60), EX7300 (before 1.0.1.60), R6100 (before 1.0.1.16), R7500 (before 1.0.0.110), R7800 (before 1.0.2.32), R9000 (before 1.0.2.30), WN3000RPv3 (before 1.0.2.50), WNDR4300v2 (before 1.0.0.50), and WNDR4500v3 (before 1.0.0.50) [1].

Exploitation

An attacker must first obtain valid administrative credentials for the target device. With authenticated access to the web interface, the attacker can send a specially crafted HTTP request that injects arbitrary operating system commands into an unsuspecting parameter. No user interaction beyond the initial authentication is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root privileges. This can lead to full compromise of the device, including disclosure of sensitive data, modification of device configuration, and denial of service. The CVSS v3 score is 6.8 (Medium) with a vector of AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models. Users should upgrade to the latest firmware as soon as possible: D7800 to 1.0.1.34 or later, EX6100v2/EX6150v2 to 1.0.1.50 or later, EX6200v2 to 1.0.1.44 or later, EX6400/EX7300 to 1.0.1.60 or later, R6100 to 1.0.1.16 or later, R7500 to 1.0.0.110 or later, R7800 to 1.0.2.32 or later, R9000 to 1.0.2.30 or later, WN3000RPv3 to 1.0.2.50 or later, WNDR4300v2 to 1.0.0.50 or later, and WNDR4500v3 to 1.0.0.50 or later [1]. No workarounds are provided; the only mitigation is applying the firmware update.