CVE-2021-34991
8.8
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD
Description
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110.
Affected (44)
Products: Netgear: Ex3700 Firmware, Ex3800 Firmware, Ex6120 Firmware, Ex6130 Firmware, R6400 Firmware, R6400v2 Firmware, R6700v3 Firmware, R6900p Firmware, R7000 Firmware, R7000p Firmware, R7100lg Firmware, R7850 Firmware, R7900p Firmware, R7960p Firmware, R8000 Firmware, R8000p Firmware, R8300 Firmware, R8500 Firmware, Rax15 Firmware, Rax20 Firmware, Rax200 Firmware, Rax35v2 Firmware, Rax38v2 Firmware, Rax40v2 Firmware, Rax42 Firmware, Rax43 Firmware, Rax45 Firmware, Rax48 Firmware, Rax50 Firmware, Rax50s Firmware, Rax75 Firmware, Rax80 Firmware, Raxe450 Firmware, Raxe500 Firmware, Rs400 Firmware, Wndr3400v3 Firmware, Wnr3500lv2 Firmware, Xr300 Firmware, D6220 Firmware, D6400 Firmware, D7000v2 Firmware, Dgn2200v4 Firmware, Dc112a Firmware, Cax80 Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.94 |
| Running on/with | Platform Versions |
|---|---|
Netgear Ex3700 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.94 |
| Running on/with | Platform Versions |
|---|---|
Netgear Ex3800 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.66 |
| Running on/with | Platform Versions |
|---|---|
Netgear Ex6120 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.66 |
| Running on/with | Platform Versions |
|---|---|
Netgear Ex6130 | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.1.76 |
| Running on/with | Platform Versions |
|---|---|
Netgear R6400 | All versions |
Configuration F
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.120 |
| Running on/with | Platform Versions |
|---|---|
Netgear R6400v2 | All versions |
Configuration G
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.120 |
| Running on/with | Platform Versions |
|---|---|
Netgear R6700v3 | All versions |
Configuration H
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.3.3.142 |
| Running on/with | Platform Versions |
|---|---|
Netgear R6900p | All versions |
Configuration I
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.11.128 |
| Running on/with | Platform Versions |
|---|---|
Netgear R7000 | All versions |
Configuration J
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.3.3.142 |
| Running on/with | Platform Versions |
|---|---|
Netgear R7000p | All versions |
Configuration K
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.72 |
| Running on/with | Platform Versions |
|---|---|
Netgear R7100lg | All versions |
Configuration L
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.5.76 |
| Running on/with | Platform Versions |
|---|---|
Netgear R7850 | All versions |
Configuration M
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.4.2.84 |
| Running on/with | Platform Versions |
|---|---|
Netgear R7900p | All versions |
Configuration N
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.4.2.84 |
| Running on/with | Platform Versions |
|---|---|
Netgear R7960p | All versions |
Configuration O
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.76 |
| Running on/with | Platform Versions |
|---|---|
Netgear R8000 | All versions |
Configuration P
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.4.2.84 |
| Running on/with | Platform Versions |
|---|---|
Netgear R8000p | All versions |
Configuration Q
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.2.156 |
| Running on/with | Platform Versions |
|---|---|
Netgear R8300 | All versions |
Configuration R
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.2.156 |
| Running on/with | Platform Versions |
|---|---|
Netgear R8500 | All versions |
Configuration S
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax15 | All versions |
Configuration T
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax20 | All versions |
Configuration U
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.5.132 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax200 | All versions |
Configuration V
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax35v2 | All versions |
Configuration W
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax38v2 | All versions |
Configuration X
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax40v2 | All versions |
Configuration Y
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax42 | All versions |
Configuration Z
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax43 | All versions |
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax45 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax48 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax50 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.4.100 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax50s | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.5.132 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax75 | All versions |
Configuration F
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.5.132 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rax80 | All versions |
Configuration G
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.8.70 |
| Running on/with | Platform Versions |
|---|---|
Netgear Raxe450 | All versions |
Configuration H
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.8.70 |
| Running on/with | Platform Versions |
|---|---|
Netgear Raxe500 | All versions |
Configuration I
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.5.1.80 |
| Running on/with | Platform Versions |
|---|---|
Netgear Rs400 | All versions |
Configuration J
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.1.42 |
| Running on/with | Platform Versions |
|---|---|
Netgear Wndr3400v3 | All versions |
Configuration K
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.2.0.70 |
| Running on/with | Platform Versions |
|---|---|
Netgear Wnr3500lv2 | All versions |
Configuration L
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.3.68 |
| Running on/with | Platform Versions |
|---|---|
Netgear Xr300 | All versions |
Configuration M
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.76 |
| Running on/with | Platform Versions |
|---|---|
Netgear D6220 | All versions |
Configuration N
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.108 |
| Running on/with | Platform Versions |
|---|---|
Netgear D6400 | All versions |
Configuration O
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.76 |
| Running on/with | Platform Versions |
|---|---|
Netgear D7000v2 | All versions |
Configuration P
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.126 |
| Running on/with | Platform Versions |
|---|---|
Netgear Dgn2200v4 | All versions |
Configuration Q
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.0.0.62 |
| Running on/with | Platform Versions |
|---|---|
Netgear Dc112a | All versions |
Configuration R
| Vulnerable Software | Affected Versions |
|---|---|
| Before 2.1.3.5 |
| Running on/with | Platform Versions |
|---|---|
Netgear Cax80 | All versions |
Related CWEs
CWE-121
Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787
Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.
References (4)
Source: zdi-disclosures@trendmicro.com
Vendor Advisory
Source: zdi-disclosures@trendmicro.com
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Timeline
No history available yet.