CVE-2021-45658

26.12.2021, 01:15

Certain NETGEAR devices are affected by server-side injection. This affects D7800 before 1.0.1.58, DM200 before 1.0.0.66, EX2700 before 1.0.1.56, EX6150v2 before 1.0.1.86, EX6100v2 before 1.0.1.86, EX6200v2 before 1.0.1.78, EX6250 before 1.0.0.110, EX6410 before 1.0.0.110, EX6420 before 1.0.0.110, EX6400v2 before 1.0.0.110, EX7300 before 1.0.2.144, EX6400 before 1.0.2.144, EX7320 before 1.0.0.110, EX7300v2 before 1.0.0.110, R7500v2 before 1.0.3.48, R7800 before 1.0.2.68, R8900 before 1.0.5.2, R9000 before 1.0.5.2, RAX120 before 1.0.1.90, RBK40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, RBS50Y before 2.6.1.40, WN3000RPv2 before 1.0.0.78, WN3000RPv3 before 1.0.2.80, WNR2000v5 before 1.0.0.72, XR500 before 2.3.2.56, and XR700 before 1.0.1.20.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
mitre	CNA	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AC:L/AV:L/A:N/C:H/I:H/PR:L/S:U/UI:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 60%

Vendor	Product	Version
netgear	d7800_firmware	𝑥 < 1.0.1.58
netgear	dm200_firmware	𝑥 < 1.0.0.66
netgear	ex2700_firmware	𝑥 < 1.0.1.56
netgear	ex6150v2_firmware	𝑥 < 1.0.1.86
netgear	ex6100v2_firmware	𝑥 < 1.0.1.86
netgear	ex6200v2_firmware	𝑥 < 1.0.1.78
netgear	ex6250_firmware	𝑥 < 1.0.0.110
netgear	ex6410_firmware	𝑥 < 1.0.0.110
netgear	ex6420_firmware	𝑥 < 1.0.0.110
netgear	ex6400v2_firmware	𝑥 < 1.0.0.110
netgear	ex7300_firmware	𝑥 < 1.0.2.144
netgear	ex6400_firmware	𝑥 < 1.0.2.144
netgear	ex7320_firmware	𝑥 < 1.0.0.110
netgear	ex7300v2_firmware	𝑥 < 1.0.0.110
netgear	r7500v2_firmware	𝑥 < 1.0.3.48
netgear	r7800_firmware	𝑥 < 1.0.2.68
netgear	r8900_firmware	𝑥 < 1.0.5.2
netgear	r9000_firmware	𝑥 < 1.0.5.2
netgear	rax120_firmware	𝑥 < 1.0.1.90
netgear	rbk40_firmware	𝑥 < 2.5.1.16
netgear	rbk20_firmware	𝑥 < 2.5.1.16
netgear	rbr20_firmware	𝑥 < 2.5.1.16
netgear	rbs20_firmware	𝑥 < 2.5.1.16
netgear	rbk50_firmware	𝑥 < 2.5.1.16
netgear	rbr50_firmware	𝑥 < 2.5.1.16
netgear	rbs50_firmware	𝑥 < 2.5.1.16
netgear	rbs50y_firmware	𝑥 < 2.6.1.40
netgear	wn3000rpv2_firmware	𝑥 < 1.0.0.78
netgear	wn3000rpv3_firmware	𝑥 < 1.0.2.80
netgear	wnr2000v5_firmware	𝑥 < 1.0.0.72
netgear	xr500_firmware	𝑥 < 2.3.2.56
netgear	xr700_firmware	𝑥 < 1.0.1.20

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://kb.netgear.com/000064062/Security-Advisory-for-Server-Side-Injection-on-Some-Routers-Extenders-and-WiFi-Systems-PSV-2019-0125