CVE-2021-45631

Vulnerability

Certain NETGEAR WiFi system models are affected by a pre-authentication command injection vulnerability. The affected products and their vulnerable firmware versions are: CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12 [1]. The vulnerability can be exploited by an unauthenticated attacker over the network.

Exploitation

An unauthenticated attacker can send specially crafted network requests to the affected device to trigger the command injection. No prior authentication or user interaction is required. The vulnerability exists in the pre-authentication stage, meaning the attacker does not need valid credentials to exploit it [1]. The exact sequence of steps to trigger the injection is not publicly detailed in the available references, but the nature of pre-authentication command injection typically involves sending malicious input in a parameter that is passed to a shell command.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands with the privileges of the affected service (likely root). This leads to a complete compromise of the device's confidentiality, integrity, and availability. An attacker can gain full control over the device, access stored information, modify device settings, and potentially pivot to other devices on the network [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models: CBR40 2.5.0.24, CBR750 4.6.3.6, and 3.2.17.12 for the Orbi models (RBK752, RBR750, RBS750, RBK852, RBR850, RBS850) [1]. Users should download and install the latest firmware from the NETGEAR Support website as soon as possible. There is no known workaround besides updating to the patched version [1].