CVE-2017-18776

22.04.2020, 15:15

Certain NETGEAR devices are affected by authentication bypass. This affects D6100 before V1.0.0.55, D7000 before V1.0.1.50, D7800 before V1.0.1.24, JNR1010v2 before 1.1.0.40, JWNR2010v5 before 1.1.0.40, R6100 before 1.0.1.12, R6220 before 1.1.0.50, R7500 before 1.0.0.108, R7500v2 before 1.0.3.10, WNDR4300v1 before 1.0.2.88, WNDR4300v2 before 1.0.0.48, WNDR4500v3 before 1.0.0.48, WNR1000v4 before 1.1.0.40, WNR2000v5 before 1.0.0.42, WNR2020 before 1.1.0.40, and WNR2050 before 1.1.0.40.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.4 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	8.4 HIGH	LOCAL	LOW	NONE	CVSS:3.0/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Vendor	Product	Version
netgear	d6100_firmware	𝑥 < 1.0.0.55
netgear	d7000_firmware	𝑥 < 1.0.1.50
netgear	d7800_firmware	𝑥 < 1.0.1.24
netgear	jnr1010_firmware	𝑥 < 1.1.0.40
netgear	jwnr2010_firmware	𝑥 < 1.1.0.40
netgear	r6100_firmware	𝑥 < 1.0.1.12
netgear	r6220_firmware	𝑥 < 1.1.0.50
netgear	r7500_firmware	𝑥 < 1.0.0.108
netgear	r7500_firmware	𝑥 < 1.0.3.10
netgear	wndr4300_firmware	𝑥 < 1.0.2.88
netgear	wndr4300_firmware	𝑥 < 1.0.0.48
netgear	wndr4500_firmware	𝑥 < 1.0.0.48
netgear	wnr1000_firmware	𝑥 < 1.1.0.40
netgear	wnr2000_firmware	𝑥 < 1.0.0.42
netgear	wnr2020_firmware	𝑥 < 1.1.0.40
netgear	wnr2050_firmware	𝑥 < 1.1.0.40

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://kb.netgear.com/000049552/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-and-Gateways-PSV-2017-0387