CVE-2021-34991
NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110.
Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar código arbitrario en las instalaciones afectadas de los routers NETGEAR versión R6400v2 1.0.4.106_10.0.80. No es requerida una autenticación para explotar esta vulnerabilidad. El fallo específico es presentado en el servicio UPnP, que escucha en el puerto TCP 5000 por defecto. Cuando analiza el encabezado petición uuid, el proceso no comprueba correctamente la longitud de los datos suministrados por el usuario antes de copiarlos en un búfer de longitud fija en la región stack de la memoria. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto de root. Fue ZDI-CAN-14110
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
*Credits:
anonymous
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-06-17 CVE Reserved
- 2021-11-11 CVE Published
- 2024-07-31 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-121: Stack-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-21-1303 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netgear Search vendor "Netgear" | Ex3700 Firmware Search vendor "Netgear" for product "Ex3700 Firmware" | < 1.0.0.94 Search vendor "Netgear" for product "Ex3700 Firmware" and version " < 1.0.0.94" | - |
Affected
| in | Netgear Search vendor "Netgear" | Ex3700 Search vendor "Netgear" for product "Ex3700" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Ex3800 Firmware Search vendor "Netgear" for product "Ex3800 Firmware" | < 1.0.0.94 Search vendor "Netgear" for product "Ex3800 Firmware" and version " < 1.0.0.94" | - |
Affected
| in | Netgear Search vendor "Netgear" | Ex3800 Search vendor "Netgear" for product "Ex3800" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Ex6120 Firmware Search vendor "Netgear" for product "Ex6120 Firmware" | < 1.0.0.66 Search vendor "Netgear" for product "Ex6120 Firmware" and version " < 1.0.0.66" | - |
Affected
| in | Netgear Search vendor "Netgear" | Ex6120 Search vendor "Netgear" for product "Ex6120" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Ex6130 Firmware Search vendor "Netgear" for product "Ex6130 Firmware" | < 1.0.0.66 Search vendor "Netgear" for product "Ex6130 Firmware" and version " < 1.0.0.66" | - |
Affected
| in | Netgear Search vendor "Netgear" | Ex6130 Search vendor "Netgear" for product "Ex6130" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R6400 Firmware Search vendor "Netgear" for product "R6400 Firmware" | < 1.0.1.76 Search vendor "Netgear" for product "R6400 Firmware" and version " < 1.0.1.76" | - |
Affected
| in | Netgear Search vendor "Netgear" | R6400 Search vendor "Netgear" for product "R6400" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R6400v2 Firmware Search vendor "Netgear" for product "R6400v2 Firmware" | < 1.0.4.120 Search vendor "Netgear" for product "R6400v2 Firmware" and version " < 1.0.4.120" | - |
Affected
| in | Netgear Search vendor "Netgear" | R6400v2 Search vendor "Netgear" for product "R6400v2" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R6700v3 Firmware Search vendor "Netgear" for product "R6700v3 Firmware" | < 1.0.4.120 Search vendor "Netgear" for product "R6700v3 Firmware" and version " < 1.0.4.120" | - |
Affected
| in | Netgear Search vendor "Netgear" | R6700v3 Search vendor "Netgear" for product "R6700v3" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R6900p Firmware Search vendor "Netgear" for product "R6900p Firmware" | < 1.3.3.142 Search vendor "Netgear" for product "R6900p Firmware" and version " < 1.3.3.142" | - |
Affected
| in | Netgear Search vendor "Netgear" | R6900p Search vendor "Netgear" for product "R6900p" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R7000 Firmware Search vendor "Netgear" for product "R7000 Firmware" | < 1.0.11.128 Search vendor "Netgear" for product "R7000 Firmware" and version " < 1.0.11.128" | - |
Affected
| in | Netgear Search vendor "Netgear" | R7000 Search vendor "Netgear" for product "R7000" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R7000p Firmware Search vendor "Netgear" for product "R7000p Firmware" | < 1.3.3.142 Search vendor "Netgear" for product "R7000p Firmware" and version " < 1.3.3.142" | - |
Affected
| in | Netgear Search vendor "Netgear" | R7000p Search vendor "Netgear" for product "R7000p" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R7100lg Firmware Search vendor "Netgear" for product "R7100lg Firmware" | < 1.0.0.72 Search vendor "Netgear" for product "R7100lg Firmware" and version " < 1.0.0.72" | - |
Affected
| in | Netgear Search vendor "Netgear" | R7100lg Search vendor "Netgear" for product "R7100lg" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R7850 Firmware Search vendor "Netgear" for product "R7850 Firmware" | < 1.0.5.76 Search vendor "Netgear" for product "R7850 Firmware" and version " < 1.0.5.76" | - |
Affected
| in | Netgear Search vendor "Netgear" | R7850 Search vendor "Netgear" for product "R7850" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R7900p Firmware Search vendor "Netgear" for product "R7900p Firmware" | < 1.4.2.84 Search vendor "Netgear" for product "R7900p Firmware" and version " < 1.4.2.84" | - |
Affected
| in | Netgear Search vendor "Netgear" | R7900p Search vendor "Netgear" for product "R7900p" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R7960p Firmware Search vendor "Netgear" for product "R7960p Firmware" | < 1.4.2.84 Search vendor "Netgear" for product "R7960p Firmware" and version " < 1.4.2.84" | - |
Affected
| in | Netgear Search vendor "Netgear" | R7960p Search vendor "Netgear" for product "R7960p" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R8000 Firmware Search vendor "Netgear" for product "R8000 Firmware" | < 1.0.4.76 Search vendor "Netgear" for product "R8000 Firmware" and version " < 1.0.4.76" | - |
Affected
| in | Netgear Search vendor "Netgear" | R8000 Search vendor "Netgear" for product "R8000" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R8000p Firmware Search vendor "Netgear" for product "R8000p Firmware" | < 1.4.2.84 Search vendor "Netgear" for product "R8000p Firmware" and version " < 1.4.2.84" | - |
Affected
| in | Netgear Search vendor "Netgear" | R8000p Search vendor "Netgear" for product "R8000p" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R8300 Firmware Search vendor "Netgear" for product "R8300 Firmware" | < 1.0.2.156 Search vendor "Netgear" for product "R8300 Firmware" and version " < 1.0.2.156" | - |
Affected
| in | Netgear Search vendor "Netgear" | R8300 Search vendor "Netgear" for product "R8300" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | R8500 Firmware Search vendor "Netgear" for product "R8500 Firmware" | < 1.0.2.156 Search vendor "Netgear" for product "R8500 Firmware" and version " < 1.0.2.156" | - |
Affected
| in | Netgear Search vendor "Netgear" | R8500 Search vendor "Netgear" for product "R8500" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax15 Firmware Search vendor "Netgear" for product "Rax15 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax15 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax15 Search vendor "Netgear" for product "Rax15" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax20 Firmware Search vendor "Netgear" for product "Rax20 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax20 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax20 Search vendor "Netgear" for product "Rax20" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax200 Firmware Search vendor "Netgear" for product "Rax200 Firmware" | < 1.0.5.132 Search vendor "Netgear" for product "Rax200 Firmware" and version " < 1.0.5.132" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax200 Search vendor "Netgear" for product "Rax200" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax35v2 Firmware Search vendor "Netgear" for product "Rax35v2 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax35v2 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax35v2 Search vendor "Netgear" for product "Rax35v2" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax38v2 Firmware Search vendor "Netgear" for product "Rax38v2 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax38v2 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax38v2 Search vendor "Netgear" for product "Rax38v2" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax40v2 Firmware Search vendor "Netgear" for product "Rax40v2 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax40v2 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax40v2 Search vendor "Netgear" for product "Rax40v2" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax42 Firmware Search vendor "Netgear" for product "Rax42 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax42 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax42 Search vendor "Netgear" for product "Rax42" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax43 Firmware Search vendor "Netgear" for product "Rax43 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax43 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax43 Search vendor "Netgear" for product "Rax43" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax45 Firmware Search vendor "Netgear" for product "Rax45 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax45 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax45 Search vendor "Netgear" for product "Rax45" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax48 Firmware Search vendor "Netgear" for product "Rax48 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax48 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax48 Search vendor "Netgear" for product "Rax48" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax50 Firmware Search vendor "Netgear" for product "Rax50 Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax50 Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax50 Search vendor "Netgear" for product "Rax50" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax50s Firmware Search vendor "Netgear" for product "Rax50s Firmware" | < 1.0.4.100 Search vendor "Netgear" for product "Rax50s Firmware" and version " < 1.0.4.100" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax50s Search vendor "Netgear" for product "Rax50s" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax75 Firmware Search vendor "Netgear" for product "Rax75 Firmware" | < 1.0.5.132 Search vendor "Netgear" for product "Rax75 Firmware" and version " < 1.0.5.132" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax75 Search vendor "Netgear" for product "Rax75" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rax80 Firmware Search vendor "Netgear" for product "Rax80 Firmware" | < 1.0.5.132 Search vendor "Netgear" for product "Rax80 Firmware" and version " < 1.0.5.132" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rax80 Search vendor "Netgear" for product "Rax80" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Raxe450 Firmware Search vendor "Netgear" for product "Raxe450 Firmware" | < 1.0.8.70 Search vendor "Netgear" for product "Raxe450 Firmware" and version " < 1.0.8.70" | - |
Affected
| in | Netgear Search vendor "Netgear" | Raxe450 Search vendor "Netgear" for product "Raxe450" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Raxe500 Firmware Search vendor "Netgear" for product "Raxe500 Firmware" | < 1.0.8.70 Search vendor "Netgear" for product "Raxe500 Firmware" and version " < 1.0.8.70" | - |
Affected
| in | Netgear Search vendor "Netgear" | Raxe500 Search vendor "Netgear" for product "Raxe500" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Rs400 Firmware Search vendor "Netgear" for product "Rs400 Firmware" | < 1.5.1.80 Search vendor "Netgear" for product "Rs400 Firmware" and version " < 1.5.1.80" | - |
Affected
| in | Netgear Search vendor "Netgear" | Rs400 Search vendor "Netgear" for product "Rs400" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Wndr3400v3 Firmware Search vendor "Netgear" for product "Wndr3400v3 Firmware" | < 1.0.1.42 Search vendor "Netgear" for product "Wndr3400v3 Firmware" and version " < 1.0.1.42" | - |
Affected
| in | Netgear Search vendor "Netgear" | Wndr3400v3 Search vendor "Netgear" for product "Wndr3400v3" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Wnr3500lv2 Firmware Search vendor "Netgear" for product "Wnr3500lv2 Firmware" | < 1.2.0.70 Search vendor "Netgear" for product "Wnr3500lv2 Firmware" and version " < 1.2.0.70" | - |
Affected
| in | Netgear Search vendor "Netgear" | Wnr3500lv2 Search vendor "Netgear" for product "Wnr3500lv2" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Xr300 Firmware Search vendor "Netgear" for product "Xr300 Firmware" | < 1.0.3.68 Search vendor "Netgear" for product "Xr300 Firmware" and version " < 1.0.3.68" | - |
Affected
| in | Netgear Search vendor "Netgear" | Xr300 Search vendor "Netgear" for product "Xr300" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | D6220 Firmware Search vendor "Netgear" for product "D6220 Firmware" | < 1.0.0.76 Search vendor "Netgear" for product "D6220 Firmware" and version " < 1.0.0.76" | - |
Affected
| in | Netgear Search vendor "Netgear" | D6220 Search vendor "Netgear" for product "D6220" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | D6400 Firmware Search vendor "Netgear" for product "D6400 Firmware" | < 1.0.0.108 Search vendor "Netgear" for product "D6400 Firmware" and version " < 1.0.0.108" | - |
Affected
| in | Netgear Search vendor "Netgear" | D6400 Search vendor "Netgear" for product "D6400" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | D7000v2 Firmware Search vendor "Netgear" for product "D7000v2 Firmware" | < 1.0.0.76 Search vendor "Netgear" for product "D7000v2 Firmware" and version " < 1.0.0.76" | - |
Affected
| in | Netgear Search vendor "Netgear" | D7000v2 Search vendor "Netgear" for product "D7000v2" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Dgn2200v4 Firmware Search vendor "Netgear" for product "Dgn2200v4 Firmware" | < 1.0.0.126 Search vendor "Netgear" for product "Dgn2200v4 Firmware" and version " < 1.0.0.126" | - |
Affected
| in | Netgear Search vendor "Netgear" | Dgn2200v4 Search vendor "Netgear" for product "Dgn2200v4" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Dc112a Firmware Search vendor "Netgear" for product "Dc112a Firmware" | < 1.0.0.62 Search vendor "Netgear" for product "Dc112a Firmware" and version " < 1.0.0.62" | - |
Affected
| in | Netgear Search vendor "Netgear" | Dc112a Search vendor "Netgear" for product "Dc112a" | - | - |
Safe
|
| Netgear Search vendor "Netgear" | Cax80 Firmware Search vendor "Netgear" for product "Cax80 Firmware" | < 2.1.3.5 Search vendor "Netgear" for product "Cax80 Firmware" and version " < 2.1.3.5" | - |
Affected
| in | Netgear Search vendor "Netgear" | Cax80 Search vendor "Netgear" for product "Cax80" | - | - |
Safe
|