Details of VAR-202108-1633

ID

VAR-202108-1633

CVE

CVE-2021-38527

TITLE

plural NETGEAR Command injection vulnerability in device

Trust: 0.8

sources: JVNDB: JVNDB-2021-010445

DESCRIPTION

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2.5.0.14, EX6100v2 before 1.0.1.98, EX6150v2 before 1.0.1.98, EX6250 before 1.0.0.132, EX6400 before 1.0.2.158, EX6400v2 before 1.0.0.132, EX6410 before 1.0.0.132, EX6420 before 1.0.0.132, EX7300 before 1.0.2.158, EX7300v2 before 1.0.0.132, EX7320 before 1.0.0.132, EX7700 before 1.0.0.216, EX8000 before 1.0.1.232, R7800 before 1.0.2.78, RBK12 before 2.6.1.44, RBR10 before 2.6.1.44, RBS10 before 2.6.1.44, RBK20 before 2.6.1.38, RBR20 before 2.6.1.36, RBS20 before 2.6.1.38, RBK40 before 2.6.1.38, RBR40 before 2.6.1.36, RBS40 before 2.6.1.38, RBK50 before 2.6.1.40, RBR50 before 2.6.1.40, RBS50 before 2.6.1.40, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, RBS40V before 2.6.2.4, RBS50Y before 2.6.1.40, RBW30 before 2.6.2.2, and XR500 before 2.3.2.114. plural NETGEAR A command injection vulnerability exists in the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This affects CBR40 prior to 2.5.0.14, EX6100v2 prior to 1.0.1.98, EX6150v2 prior to 1.0.1.98, EX6250 prior to 1.0.0.132, EX6400 prior to 1.0.2.158, EX6400v2 prior to 1.0.0.132, EX6410 prior to 1.0.0.132, EX6420 prior to 1.0.0.132, EX7300 prior to 1.0.2.158, EX7300v2 prior to 1.0.0.132, EX7320 prior to 1.0.0.132, EX7700 prior to 1.0.0.216, EX8000 prior to 1.0.1.232, R7800 prior to 1.0.2.78, RBK12 prior to 2.6.1.44, RBR10 prior to 2.6.1.44, RBS10 prior to 2.6.1.44, RBK20 prior to 2.6.1.38, RBR20 prior to 2.6.1.36, RBS20 prior to 2.6.1.38, RBK40 prior to 2.6.1.38, RBR40 prior to 2.6.1.36, RBS40 prior to 2.6.1.38, RBK50 prior to 2.6.1.40, RBR50 prior to 2.6.1.40, RBS50 prior to 2.6.1.40, RBK752 prior to 3.2.16.6, RBR750 prior to 3.2.16.6, RBS750 prior to 3.2.16.6, RBK852 prior to 3.2.16.6, RBR850 prior to 3.2.16.6, RBS850 prior to 3.2.16.6, RBS40V prior to 2.6.2.4, RBS50Y prior to 2.6.1.40, RBW30 prior to 2.6.2.2, and XR500 prior to 2.3.2.114

Trust: 1.71

sources: NVD: CVE-2021-38527 // JVNDB: JVNDB-2021-010445 // VULMON: CVE-2021-38527

AFFECTED PRODUCTS

vendor:	netgear	model:	ex6400	scope:	lt	version:	1.0.0.132	Trust: 1.0
vendor:	netgear	model:	r7800	scope:	lt	version:	1.0.2.78	Trust: 1.0
vendor:	netgear	model:	rbs20	scope:	lt	version:	2.6.1.38	Trust: 1.0
vendor:	netgear	model:	rbr40	scope:	lt	version:	2.6.1.36	Trust: 1.0
vendor:	netgear	model:	rbr20	scope:	lt	version:	2.6.1.36	Trust: 1.0
vendor:	netgear	model:	rbs50y	scope:	lt	version:	2.6.1.40	Trust: 1.0
vendor:	netgear	model:	rbr10	scope:	lt	version:	2.6.1.44	Trust: 1.0
vendor:	netgear	model:	rbk852	scope:	lt	version:	3.2.16.6	Trust: 1.0
vendor:	netgear	model:	ex6100	scope:	lt	version:	1.0.1.98	Trust: 1.0
vendor:	netgear	model:	ex8000	scope:	lt	version:	1.0.1.232	Trust: 1.0
vendor:	netgear	model:	rbr50	scope:	lt	version:	2.6.1.40	Trust: 1.0
vendor:	netgear	model:	xr500	scope:	lt	version:	2.3.2.114	Trust: 1.0
vendor:	netgear	model:	rbk12	scope:	lt	version:	2.6.1.44	Trust: 1.0
vendor:	netgear	model:	ex6400	scope:	lt	version:	1.0.2.158	Trust: 1.0
vendor:	netgear	model:	cbr40	scope:	lt	version:	2.5.0.14	Trust: 1.0
vendor:	netgear	model:	rbk752	scope:	lt	version:	3.2.16.6	Trust: 1.0
vendor:	netgear	model:	ex6410	scope:	lt	version:	1.0.0.132	Trust: 1.0
vendor:	netgear	model:	rbr750	scope:	lt	version:	3.2.16.6	Trust: 1.0
vendor:	netgear	model:	rbk20	scope:	lt	version:	2.6.1.38	Trust: 1.0
vendor:	netgear	model:	ex6150	scope:	lt	version:	1.0.1.98	Trust: 1.0
vendor:	netgear	model:	rbs10	scope:	lt	version:	2.6.1.44	Trust: 1.0
vendor:	netgear	model:	ex7320	scope:	lt	version:	1.0.0.132	Trust: 1.0
vendor:	netgear	model:	ex6420	scope:	lt	version:	1.0.0.132	Trust: 1.0
vendor:	netgear	model:	rbk40	scope:	lt	version:	2.6.1.38	Trust: 1.0
vendor:	netgear	model:	ex7300	scope:	lt	version:	1.0.2.158	Trust: 1.0
vendor:	netgear	model:	rbs40	scope:	lt	version:	2.6.1.38	Trust: 1.0
vendor:	netgear	model:	ex6250	scope:	lt	version:	1.0.0.132	Trust: 1.0
vendor:	netgear	model:	rbw30	scope:	lt	version:	2.6.2.2	Trust: 1.0
vendor:	netgear	model:	rbs750	scope:	lt	version:	3.2.16.6	Trust: 1.0
vendor:	netgear	model:	ex7700	scope:	lt	version:	1.0.0.216	Trust: 1.0
vendor:	netgear	model:	rbr850	scope:	lt	version:	3.2.16.6	Trust: 1.0
vendor:	netgear	model:	rbs850	scope:	lt	version:	3.2.16.6	Trust: 1.0
vendor:	netgear	model:	rbk50	scope:	lt	version:	2.6.1.40	Trust: 1.0
vendor:	netgear	model:	rbs40v	scope:	lt	version:	2.6.2.4	Trust: 1.0
vendor:	netgear	model:	rbs50	scope:	lt	version:	2.6.1.40	Trust: 1.0
vendor:	ネットギア	model:	ex7300	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex6400	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex6100	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex7320	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex6410	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex7700	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex6150	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex6250	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	cbr40	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	ex6420	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-010445 // NVD: CVE-2021-38527

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38527
value:	CRITICAL
Trust: 1.0
cve@mitre.org:	CVE-2021-38527
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-38527
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202108-993
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-38527
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-38527
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2021-38527
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2021-38527
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38527
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-38527 // JVNDB: JVNDB-2021-010445 // CNNVD: CNNVD-202108-993 // NVD: CVE-2021-38527 // NVD: CVE-2021-38527

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-010445 // NVD: CVE-2021-38527

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-993

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202108-993

PATCH

title:	Security Advisory for Pre-Authentication Command Injection on Some Extenders, Routers, and WiFi Systems, PSV-2020-0025	url:	https://kb.netgear.com/000063778/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-Extenders-Routers-and-WiFi-Systems-PSV-2020-0025	Trust: 0.8
title:	Netgear RBR750 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159380	Trust: 0.6
title:	CVE-2021-38527	url:	https://github.com/AlAIAL90/CVE-2021-38527	Trust: 0.1

sources: VULMON: CVE-2021-38527 // JVNDB: JVNDB-2021-010445 // CNNVD: CNNVD-202108-993

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38527	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-010445	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-993	Trust: 0.6
db:	VULMON	id:	CVE-2021-38527	Trust: 0.1

sources: VULMON: CVE-2021-38527 // JVNDB: JVNDB-2021-010445 // CNNVD: CNNVD-202108-993 // NVD: CVE-2021-38527

REFERENCES

url:	https://kb.netgear.com/000063778/security-advisory-for-pre-authentication-command-injection-on-some-extenders-routers-and-wifi-systems-psv-2020-0025	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38527	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://github.com/alaial90/cve-2021-38527	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-38527 // JVNDB: JVNDB-2021-010445 // CNNVD: CNNVD-202108-993 // NVD: CVE-2021-38527

SOURCES

db:	VULMON	id:	CVE-2021-38527
db:	JVNDB	id:	JVNDB-2021-010445
db:	CNNVD	id:	CNNVD-202108-993
db:	NVD	id:	CVE-2021-38527

LAST UPDATE DATE

2024-08-14T15:27:38.170000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-38527	date:	2021-08-19T00:00:00
db:	JVNDB	id:	JVNDB-2021-010445	date:	2022-07-01T06:12:00
db:	CNNVD	id:	CNNVD-202108-993	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2021-38527	date:	2021-08-19T18:37:36.557

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-38527	date:	2021-08-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-010445	date:	2022-07-01T00:00:00
db:	CNNVD	id:	CNNVD-202108-993	date:	2021-08-10T00:00:00
db:	NVD	id:	CVE-2021-38527	date:	2021-08-11T00:16:18.947