CVE-2021-45596

Vulnerability

A command injection vulnerability exists in certain NETGEAR WiFi systems, including CBR750 (before 4.6.3.6), RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 (all before 3.2.17.12). This flaw allows an authenticated user to inject operating system commands through the device's management interface. The vulnerability is present in the firmware versions listed and can be reached when a user with valid credentials sends crafted input to the affected component.

Exploitation

To exploit this vulnerability, an attacker must first obtain valid authentication credentials for the target device. With authenticated access, the attacker can send specially crafted requests to the management interface, injecting arbitrary commands that are then executed by the underlying operating system. No additional user interaction is required beyond the attacker's own actions. The advisory does not specify the exact input vector but indicates the command injection occurs post-authentication.

Impact

Successful exploitation allows the authenticated attacker to execute arbitrary commands on the device with the privileges of the affected process, potentially leading to full compromise of the device. This could result in information disclosure, modification of device configuration, or further propagation within the network. The impact is considered significant as these devices often serve as primary network gateways.

Mitigation

NETGEAR has released fixed firmware versions to address this vulnerability: CBR750 firmware version 4.6.3.6, and versions 3.2.17.12 for RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850 [1]. Users are strongly recommended to download and install the latest firmware from NETGEAR Support as soon as possible. There are no known workarounds; updating is the only remediation. The vulnerability was fixed in firmware released on September 26, 2021 [1].