CVE-2021-35055

Vulnerability

CVE-2021-35055 is an out-of-bounds write vulnerability in the Wi-Fi Protected Setup (WPS) protocol implementation on MediaTek chipsets including MT7603E, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, and MT7915 when running software version 7.4.0.0 [1]. Affected devices from NETGEAR include extenders and access points such as EAX11v2, EAX12, EX3700, EX3800, EX6120, EX6130, EX6250v2, EX6400v3, EX6410v2, EX6470, WAC104, WAC124, WAX202, and WAX206 [2]. The vulnerability is reachable when WPS is enabled on the device.

Exploitation

An attacker within Wi-Fi range can exploit this vulnerability by sending specially crafted WPS information elements during the WPS handshake. No prior authentication or user interaction is required, as WPS is designed to operate without credentials. The crafted messages cause a memory write beyond the allocated buffer, leading to memory corruption. [1][2]

Impact

Successful exploitation can allow an attacker to execute arbitrary code on the target device, potentially gaining full control. At a minimum, the out-of-bounds write can cause a denial of service. The CVSS v3.1 score for this vulnerability is High.

Mitigation

MediaTek has released patches, and NETGEAR has published firmware updates for many affected products. Fixed versions include: EAX11v2 and EAX12 at 1.0.3.34; EX3700 and EX3800 at 1.0.0.96; EX6120 at 1.0.0.68; EX6130 at 1.0.0.48; EX6250v2, EX6400v3, EX6410v2, EX6470 at 1.0.3.32; WAC104 at 1.0.4.20; WAC124 at 1.0.4.8; WAX202 at 1.0.5.1; WAX206 at 1.0.4.0 [2]. No workarounds are available. Users are strongly advised to update to the latest firmware. For devices not listed, consult the vendor's support page.