cnvd - cnvd-2022-06704

CNVD-2022-06704

Vulnerability from cnvd - Published: 2022-01-25

Title

NETGEAR R7450认证绕过漏洞

Description

NETGEAR R7450是美国网件（Netgear）公司的一款路由器。连接两个或多个网络的硬件设备，在网络间起网关的作用。 NETGEAR R7450存在认证绕过漏洞，该漏洞源于密码恢复过程中状态跟踪不当。攻击者可利用该漏洞绕过认证。

Severity

中

Patch Name

NETGEAR R7450认证绕过漏洞的补丁

Patch Description

NETGEAR R7450是美国网件（Netgear）公司的一款路由器。连接两个或多个网络的硬件设备，在网络间起网关的作用。 NETGEAR R7450存在认证绕过漏洞，该漏洞源于密码恢复过程中状态跟踪不当。攻击者可利用该漏洞绕过认证。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-27872

Impacted products

Name
['NETGEAR R6260 <1.1.0.78', 'NETGEAR R7450 <1.2.0.76', 'NETGEAR AC2100 <1.2.0.76', 'NETGEAR AC2400 <1.2.0.76', 'NETGEAR R6020 <1.0.0.48', 'NETGEAR R6080 <1.0.0.48', 'NETGEAR R6800 <1.2.0.76', 'NETGEAR R6850 <1.1.0.78', 'NETGEAR R7200 <1.2.0.76', 'NETGEAR R7350 <1.2.0.76', 'NETGEAR R7400 <1.2.0.76', 'NETGEAR AC2600 <1.2.0.76', 'NETGEAR R6350 <1.1.0.78', 'NETGEAR R6330 <1.1.0.78', 'NETGEAR R6700 <1.2.0.76', 'NETGEAR R6900 <1.2.0.76', 'NETGEAR R6220 <1.1.0.104', 'NETGEAR R6230 <1.1.0.104']

Name

['NETGEAR R6260 <1.1.0.78', 'NETGEAR R7450 <1.2.0.76', 'NETGEAR AC2100 <1.2.0.76', 'NETGEAR AC2400 <1.2.0.76', 'NETGEAR R6020 <1.0.0.48', 'NETGEAR R6080 <1.0.0.48', 'NETGEAR R6800 <1.2.0.76', 'NETGEAR R6850 <1.1.0.78', 'NETGEAR R7200 <1.2.0.76', 'NETGEAR R7350 <1.2.0.76', 'NETGEAR R7400 <1.2.0.76', 'NETGEAR AC2600 <1.2.0.76', 'NETGEAR R6350 <1.1.0.78', 'NETGEAR R6330 <1.1.0.78', 'NETGEAR R6700 <1.2.0.76', 'NETGEAR R6900 <1.2.0.76', 'NETGEAR R6220 <1.1.0.104', 'NETGEAR R6230 <1.1.0.104']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-27872",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-27872"
    }
  },
  "description": "NETGEAR R7450\u662f\u7f8e\u56fd\u7f51\u4ef6\uff08Netgear\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u8def\u7531\u5668\u3002\u8fde\u63a5\u4e24\u4e2a\u6216\u591a\u4e2a\u7f51\u7edc\u7684\u786c\u4ef6\u8bbe\u5907\uff0c\u5728\u7f51\u7edc\u95f4\u8d77\u7f51\u5173\u7684\u4f5c\u7528\u3002\n\nNETGEAR R7450\u5b58\u5728\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bc6\u7801\u6062\u590d\u8fc7\u7a0b\u4e2d\u72b6\u6001\u8ddf\u8e2a\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8ba4\u8bc1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-06704",
  "openTime": "2022-01-25",
  "patchDescription": "NETGEAR R7450\u662f\u7f8e\u56fd\u7f51\u4ef6\uff08Netgear\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u8def\u7531\u5668\u3002\u8fde\u63a5\u4e24\u4e2a\u6216\u591a\u4e2a\u7f51\u7edc\u7684\u786c\u4ef6\u8bbe\u5907\uff0c\u5728\u7f51\u7edc\u95f4\u8d77\u7f51\u5173\u7684\u4f5c\u7528\u3002\r\n\r\nNETGEAR R7450\u5b58\u5728\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bc6\u7801\u6062\u590d\u8fc7\u7a0b\u4e2d\u72b6\u6001\u8ddf\u8e2a\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8ba4\u8bc1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "NETGEAR R7450\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "NETGEAR R6260 \u003c1.1.0.78",
      "NETGEAR R7450 \u003c1.2.0.76",
      "NETGEAR AC2100 \u003c1.2.0.76",
      "NETGEAR AC2400 \u003c1.2.0.76",
      "NETGEAR R6020 \u003c1.0.0.48",
      "NETGEAR R6080 \u003c1.0.0.48",
      "NETGEAR R6800 \u003c1.2.0.76",
      "NETGEAR R6850 \u003c1.1.0.78",
      "NETGEAR R7200 \u003c1.2.0.76",
      "NETGEAR R7350 \u003c1.2.0.76",
      "NETGEAR R7400 \u003c1.2.0.76",
      "NETGEAR AC2600 \u003c1.2.0.76",
      "NETGEAR R6350 \u003c1.1.0.78",
      "NETGEAR R6330 \u003c1.1.0.78",
      "NETGEAR R6700 \u003c1.2.0.76",
      "NETGEAR R6900 \u003c1.2.0.76",
      "NETGEAR R6220 \u003c1.1.0.104",
      "NETGEAR R6230 \u003c1.1.0.104"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-27872",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-06",
  "title": "NETGEAR R7450\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2020-27872 (GCVE-0-2020-27872)

Vulnerability from cvelistv5 – Published: 2021-02-04 16:45 – Updated: 2024-08-04 16:25

Summary

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from improper state tracking in the password recovery process. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-11365.

Severity ?

8.8 (High)


                        
                          CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-642 - External Control of Critical State Data

Assigner

zdi

References

URL

Tags

	https://www.zerodayinitiative.com/advisories/ZDI-…	x_refsource_MISC
	https://kb.netgear.com/000062641/Security-Advisor…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	NETGEAR	R7450	Affected: 1.2.0.62_1.0.1

Credits

1sd3d of Viettel Cyber Security

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:25:43.683Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-071/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "R7450",
          "vendor": "NETGEAR",
          "versions": [
            {
              "status": "affected",
              "version": "1.2.0.62_1.0.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "1sd3d of Viettel Cyber Security"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from improper state tracking in the password recovery process. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-11365."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-642",
              "description": "CWE-642: External Control of Critical State Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-04T16:45:17",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-071/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "zdi-disclosures@trendmicro.com",
          "ID": "CVE-2020-27872",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "R7450",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.2.0.62_1.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "NETGEAR"
              }
            ]
          }
        },
        "credit": "1sd3d of Viettel Cyber Security",
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from improper state tracking in the password recovery process. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-11365."
            }
          ]
        },
        "impact": {
          "cvss": {
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-642: External Control of Critical State Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-071/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-071/"
            },
            {
              "name": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers",
              "refsource": "MISC",
              "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2020-27872",
    "datePublished": "2021-02-04T16:45:17",
    "dateReserved": "2020-10-27T00:00:00",
    "dateUpdated": "2024-08-04T16:25:43.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-06704

CVE-2020-27872 (GCVE-0-2020-27872)

Tags

Sightings

Nomenclature