Details of VAR-202010-0586

ID

VAR-202010-0586

CVE

CVE-2020-26920

TITLE

plural NETGEAR Command injection vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2020-012212

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects SRK60 before 2.5.3.110, SRR60 before 2.5.3.110, and SRS60 before 2.5.3.110. NETGEAR SRK60 , SRR60 , SRS60 A command injection vulnerability exists in the device.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. NETGEAR SRK60, etc. are all wireless routers from NETGEAR. Certain NETGEAR devices SRK60 versions prior to 2.5.3.110, SRR60 versions prior to 2.5.3.110, and SRS60 versions prior to 2.5.3.110 have security vulnerabilities, which are caused by the lack of identity verification measures or insufficient identity verification strength in network systems or products. Attackers can use this vulnerability to bypass authentication

Trust: 2.16

sources: NVD: CVE-2020-26920 // JVNDB: JVNDB-2020-012212 // CNVD: CNVD-2020-58123

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-58123

AFFECTED PRODUCTS

vendor:	netgear	model:	srr60	scope:	lt	version:	2.5.3.110	Trust: 1.6
vendor:	netgear	model:	srs60	scope:	lt	version:	2.5.3.110	Trust: 1.6
vendor:	netgear	model:	srk60	scope:	lt	version:	2.5.3.110	Trust: 1.0
vendor:	ネットギア	model:	srk60	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	srr60	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	srs60	scope:	-	version:	-	Trust: 0.8
vendor:	netgear	model:	certain netgear devices srk60	scope:	lt	version:	2.5.3.110	Trust: 0.6

sources: CNVD: CNVD-2020-58123 // JVNDB: JVNDB-2020-012212 // NVD: CVE-2020-26920

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-26920
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2020-26920
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-26920
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-58123
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202010-353
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-26920
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-58123
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-26920
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2020-012212
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-58123 // JVNDB: JVNDB-2020-012212 // CNNVD: CNNVD-202010-353 // NVD: CVE-2020-26920 // NVD: CVE-2020-26920

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-012212 // NVD: CVE-2020-26920

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202010-353

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202010-353

PATCH

title:	Security Advisory for Pre-Authentication Command Injection on Some WiFi Systems, PSV-2020-0327	url:	https://kb.netgear.com/000062333/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0327	Trust: 0.8
title:	Patch for Certain NETGEAR devices SRK60 authentication vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/237397	Trust: 0.6
title:	Multiple NETGEAR Fixes for device command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=131139	Trust: 0.6

sources: CNVD: CNVD-2020-58123 // JVNDB: JVNDB-2020-012212 // CNNVD: CNNVD-202010-353

EXTERNAL IDS

db:	NVD	id:	CVE-2020-26920	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-012212	Trust: 0.8
db:	CNVD	id:	CNVD-2020-58123	Trust: 0.6
db:	CNNVD	id:	CNNVD-202010-353	Trust: 0.6

sources: CNVD: CNVD-2020-58123 // JVNDB: JVNDB-2020-012212 // CNNVD: CNNVD-202010-353 // NVD: CVE-2020-26920

REFERENCES

url:	https://kb.netgear.com/000062333/security-advisory-for-pre-authentication-command-injection-on-some-wifi-systems-psv-2020-0327	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-26920	Trust: 1.4

sources: CNVD: CNVD-2020-58123 // JVNDB: JVNDB-2020-012212 // CNNVD: CNNVD-202010-353 // NVD: CVE-2020-26920

SOURCES

db:	CNVD	id:	CNVD-2020-58123
db:	JVNDB	id:	JVNDB-2020-012212
db:	CNNVD	id:	CNNVD-202010-353
db:	NVD	id:	CVE-2020-26920

LAST UPDATE DATE

2024-11-23T23:01:13.609000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-58123	date:	2020-10-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-012212	date:	2021-04-27T05:40:00
db:	CNNVD	id:	CNNVD-202010-353	date:	2020-10-21T00:00:00
db:	NVD	id:	CVE-2020-26920	date:	2024-11-21T05:20:29.927

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-58123	date:	2020-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2020-012212	date:	2021-04-27T00:00:00
db:	CNNVD	id:	CNNVD-202010-353	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2020-26920	date:	2020-10-09T07:15:17.683