CVE-2019-20749

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in several NETGEAR devices, including D7800, EX6100v2, EX6150v2, R7500v2, R7800, R8900, R9000, WN2000RPTv3, WN3000RPv3, and WN3100RPv2. The vulnerability affects firmware versions prior to the fixed versions listed in the advisory [1]. The issue allows an attacker to store malicious scripts in a field that is later rendered in the device's management interface without proper sanitization.

Exploitation

To exploit the vulnerability, an attacker typically needs network access to the device's management interface and may require authentication credentials. The attacker injects a malicious script into a vulnerable input field, which is then stored and executed in the context of other users' browsers when they view the affected page. The exact steps depend on the specific device and interface, but the core requirement is the ability to submit crafted input that is not properly sanitized before storage [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected device's web interface. This can lead to session hijacking, data theft, defacement, or other malicious actions performed with the privileges of the victim user. The impact is limited to the user's browser session and the device management interface, but it could be used to gain further access if combined with other vulnerabilities.

Mitigation

NETGEAR has released firmware updates to fix this vulnerability. Users should upgrade to the following versions or later: - D7800: 1.0.1.47 - EX6100v2: 1.0.1.76 - EX6150v2: 1.0.1.76 - R7500v2: 1.0.3.38 - R7800: 1.0.2.52 - R8900: 1.0.4.12 - R9000: 1.0.4.12 - WN2000RPTv3: 1.0.1.32 - WN3000RPv3: 1.0.2.70 - WN3100RPv2: 1.0.0.66

Instructions for downloading and installing firmware are available on the NETGEAR support site [1]. No workarounds other than applying the patch have been disclosed.