// For flags

CVE-2021-45608

 

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital devices are affected by an integer overflow by an unauthenticated attacker. Remote code execution from the WAN interface (TCP port 20005) cannot be ruled out; however, exploitability was judged to be of "rather significant complexity" but not "impossible." The overflow is in SoftwareBus_dispatchNormalEPMsgOut in the KCodes NetUSB kernel module. Affected NETGEAR devices are D7800 before 1.0.1.68, R6400v2 before 1.0.4.122, and R6700v3 before 1.0.4.122.

Algunos dispositivos de D-Link, Edimax, NETGEAR, TP-Link, Tenda y Western Digital están afectados por un desbordamiento de enteros por parte de un atacante no autenticado. No se puede descartar la ejecución remota de código desde la interfaz WAN (puerto TCP 20005); sin embargo, se ha considerado que la posibilidad de aprovechamiento es "bastante compleja" pero no "imposible". El desbordamiento se encuentra en SoftwareBus_dispatchNormalEPMsgOut en el módulo del kernel KCodes NetUSB. Los dispositivos NETGEAR afectados son el D7800 antes de la versión 1.0.1.68, el R6400v2 antes de la versión 1.0.4.122 y el R6700v3 antes de la versión 1.0.4.122

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-12-25 CVE Reserved
  • 2021-12-26 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-09-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-190: Integer Overflow or Wraparound
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netgear
Search vendor "Netgear"
D7800 Firmware
Search vendor "Netgear" for product "D7800 Firmware"
< 1.0.1.68
Search vendor "Netgear" for product "D7800 Firmware" and version " < 1.0.1.68"
-
Affected
in Netgear
Search vendor "Netgear"
D7800
Search vendor "Netgear" for product "D7800"
--
Safe
Netgear
Search vendor "Netgear"
R6400v2 Firmware
Search vendor "Netgear" for product "R6400v2 Firmware"
< 1.0.4.122
Search vendor "Netgear" for product "R6400v2 Firmware" and version " < 1.0.4.122"
-
Affected
in Netgear
Search vendor "Netgear"
R6400v2
Search vendor "Netgear" for product "R6400v2"
--
Safe
Netgear
Search vendor "Netgear"
R6700v3 Firmware
Search vendor "Netgear" for product "R6700v3 Firmware"
< 1.0.4.122
Search vendor "Netgear" for product "R6700v3 Firmware" and version " < 1.0.4.122"
-
Affected
in Netgear
Search vendor "Netgear"
R6700v3
Search vendor "Netgear" for product "R6700v3"
--
Safe