CVE-2021-45556

26.12.2021, 01:15

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects GS108Tv2 before 5.4.2.36, GS110TPP before 7.0.7.2, GS110TPv2 before 5.4.2.36., GS110TPv3 before 7.0.7.2, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	ADJACENT_NETWORK	HIGH	HIGH	CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:H
mitre	CNA	7.5 HIGH	ADJACENT_NETWORK	HIGH	HIGH	CVSS:3.1/AC:H/AV:A/A:H/C:L/I:H/PR:H/S:C/UI:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Vendor	Product	Version
netgear	gs108tv2_firmware	𝑥 < 5.4.2.36
netgear	gs110tpp_firmware	𝑥 < 7.0.7.2
netgear	gs110tpv2_firmware	𝑥 < 5.4.2.36
netgear	gs308t_firmware	𝑥 < 1.0.3.2
netgear	gs110tpv3_firmware	𝑥 < 7.0.7.2
netgear	gs310tp_firmware	𝑥 < 1.0.3.2
netgear	gs724tpp_firmware	𝑥 < 2.0.6.3
netgear	gs724tpv2_firmware	𝑥 < 2.0.6.3
netgear	gs728tppv2_firmware	𝑥 < 6.0.8.2
netgear	gs728tpv2_firmware	𝑥 < 6.0.8.2
netgear	gs752tpp_firmware	𝑥 < 6.0.8.2
netgear	gs752tpv2_firmware	𝑥 < 6.0.8.2
netgear	ms510txm_firmware	𝑥 < 1.0.4.2
netgear	ms510txup_firmware	𝑥 < 1.0.4.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://kb.netgear.com/000064534/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Smart-Managed-Pro-Switches-PSV-2021-0175