CVE-2017-18850

EUVD-2017-9941

20.04.2020, 14:15

Certain NETGEAR devices are affected by authentication bypass. This affects D6220 before 1.0.0.26, D6400 before 1.0.0.60, D8500 before 1.0.3.29, R6250 before 1.0.4.12, R6400 before 1.01.24, R6400v2 before 1.0.2.30, R6700 before 1.0.1.22, R6900 before 1.0.1.22, R6900P before 1.0.0.56, R7000 before 1.0.9.4, R7000P before 1.0.0.56, R7100LG before 1.0.0.32, R7300DST before 1.0.0.54, R7900 before 1.0.1.18, R8000 before 1.0.3.44, R8300 before 1.0.2.100_1.0.82, and R8500 before 1.0.2.100_1.0.82.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.4 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	8.4 HIGH	LOCAL	LOW	NONE	CVSS:3.0/AC:L/AV:L/A:H/C:H/I:H/PR:N/S:U/UI:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
netgear	d6220_firmware	𝑥 < 1.0.0.26
netgear	d6400_firmware	𝑥 < 1.0.0.60
netgear	d8500_firmware	𝑥 < 1.0.3.29
netgear	r6250_firmware	𝑥 < 1.0.4.12
netgear	r6400_firmware	𝑥 < 1.01.24
netgear	r6400_firmware	𝑥 < 1.0.2.30
netgear	r6700_firmware	𝑥 < 1.0.1.22
netgear	r6900_firmware	𝑥 < 1.0.1.22
netgear	r6900p_firmware	𝑥 < 1.0.0.56
netgear	r7000_firmware	𝑥 < 1.0.9.4
netgear	r7000p_firmware	𝑥 < 1.0.0.56
netgear	r7100lg_firmware	𝑥 < 1.0.0.32
netgear	r7300dst_firmware	𝑥 < 1.0.0.54
netgear	r7900_firmware	𝑥 < 1.0.1.18
netgear	r8000_firmware	𝑥 < 1.0.3.44
netgear	r8300_firmware	𝑥 < 1.0.2.100_1.0.82
netgear	r8500_firmware	𝑥 < 1.0.2.100_1.0.82

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://kb.netgear.com/000048998/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-or-Modem-Routers-PSV-2017-1208