CVE-2017-18704

24.04.2020, 15:15

Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files. This affects D6220 before 1.0.0.32, D6400 before 1.0.0.60, D8500 before 1.0.3.29, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.01.32, R6400v2 before 1.0.2.44, R6700 before 1.0.1.36, R6900 before 1.0.1.34, R7000 before 1.0.9.14, R7000P before 1.3.0.8, R6900P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.56, R7900 before 1.0.1.26, R8000 before 1.0.4.4, R8500 before 1.0.2.106, R8300 before 1.0.2.106, and WNDR3400v3 before 1.0.1.16.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitre	CNA	6.5 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.0/AC:L/AV:A/A:N/C:H/I:N/PR:N/S:U/UI:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Vendor	Product	Version
netgear	d6220_firmware	𝑥 < 1.0.0.32
netgear	d6400_firmware	𝑥 < 1.0.0.60
netgear	d8500_firmware	𝑥 < 1.0.3.29
netgear	r6250_firmware	𝑥 < 1.0.4.16
netgear	r6300_firmware	𝑥 < 1.0.4.18
netgear	r6400_firmware	𝑥 < 1.01.32
netgear	r6400_firmware	𝑥 < 1.0.2.44
netgear	r6700_firmware	𝑥 < 1.0.1.36
netgear	r6900_firmware	𝑥 < 1.0.1.34
netgear	r7000_firmware	𝑥 < 1.0.9.14
netgear	r7000p_firmware	𝑥 < 1.3.0.8
netgear	r6900p_firmware	𝑥 < 1.3.0.8
netgear	r7100lg_firmware	𝑥 < 1.0.0.34
netgear	r7300dst_firmware	𝑥 < 1.0.0.56
netgear	r7900_firmware	𝑥 < 1.0.1.26
netgear	r8000_firmware	𝑥 < 1.0.4.4
netgear	r8500_firmware	𝑥 < 1.0.2.106
netgear	r8300_firmware	𝑥 < 1.0.2.106
netgear	wndr3400_firmware	𝑥 < 1.0.1.16

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://kb.netgear.com/000053198/Security-Advisory-for-Arbitrary-File-Read-on-Some-Routers-and-Gateways-PSV-2017-0590