Sign-up

ID

VAR-202108-2271


CVE

CVE-2021-34865


TITLE

plural  NETGEAR  Improper Comparison Vulnerability in Routers

Trust: 0.8

sources: JVNDB: JVNDB-2021-018127

DESCRIPTION

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-13313. plural NETGEAR An improper comparison vulnerability exists in routers. Zero Day Initiative To this vulnerability ZDI-CAN-13313 Was numbering.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.34

sources: NVD: CVE-2021-34865 // JVNDB: JVNDB-2021-018127 // ZDI: ZDI-21-1051 // VULMON: CVE-2021-34865

AFFECTED PRODUCTS

vendor:netgearmodel:ac2400scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:d7000v1scope:ltversion:1.0.1.80

Trust: 1.0

vendor:netgearmodel:r6220scope:ltversion:1.1.0.110

Trust: 1.0

vendor:netgearmodel:r6230scope:ltversion:1.1.0.110

Trust: 1.0

vendor:netgearmodel:r7450scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r6330scope:ltversion:1.1.0.84

Trust: 1.0

vendor:netgearmodel:r6700v2scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r7200scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r6800scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r6260scope:ltversion:1.1.0.84

Trust: 1.0

vendor:netgearmodel:r7400scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r6850scope:ltversion:1.1.0.84

Trust: 1.0

vendor:netgearmodel:r7350scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:ac2100scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r6900v2scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:ac2600scope:ltversion:1.2.0.88

Trust: 1.0

vendor:netgearmodel:r6350scope:ltversion:1.1.0.84

Trust: 1.0

vendor:ネットギアmodel:ac2100scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6220scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:ac2400scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6330scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6230scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6260scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6350scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6700v2scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:d7000v1scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:ac2600scope: - version: -

Trust: 0.8

vendor:netgearmodel:multiple routersscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-21-1051 // JVNDB: JVNDB-2021-018127 // NVD: CVE-2021-34865

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-34865
value: HIGH

Trust: 1.0

zdi-disclosures@trendmicro.com: CVE-2021-34865
value: HIGH

Trust: 1.0

NVD: CVE-2021-34865
value: HIGH

Trust: 0.8

ZDI: CVE-2021-34865
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202108-2714
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-34865
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

zdi-disclosures@trendmicro.com: CVE-2021-34865
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2021-34865
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ZDI: CVE-2021-34865
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-21-1051 // JVNDB: JVNDB-2021-018127 // CNNVD: CNNVD-202108-2714 // NVD: CVE-2021-34865 // NVD: CVE-2021-34865

PROBLEMTYPE DATA

problemtype:CWE-697

Trust: 1.0

problemtype:CWE-287

Trust: 1.0

problemtype:Inappropriate comparison (CWE-697) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-018127 // NVD: CVE-2021-34865

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202108-2714

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202108-2714

PATCH

title:Security Advisory for Authentication Bypass Vulnerability on Some Routers, PSV-2021-0083url:https://kb.netgear.com/000063955/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-Some-Routers-PSV-2021-0083

Trust: 0.8

title:NETGEAR has issued an update to correct this vulnerability.url:https://kb.netgear.com/000063955/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-Some-Routers-PSV-2021-0083?article=000063955

Trust: 0.7

title:NETGEAR Repair measures for multiple product authorization issuesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=160968

Trust: 0.6

sources: ZDI: ZDI-21-1051 // JVNDB: JVNDB-2021-018127 // CNNVD: CNNVD-202108-2714

EXTERNAL IDS

db:NVDid:CVE-2021-34865

Trust: 4.0

db:ZDIid:ZDI-21-1051

Trust: 3.2

db:JVNDBid:JVNDB-2021-018127

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13313

Trust: 0.7

db:CNNVDid:CNNVD-202108-2714

Trust: 0.6

db:VULMONid:CVE-2021-34865

Trust: 0.1

sources: ZDI: ZDI-21-1051 // VULMON: CVE-2021-34865 // JVNDB: JVNDB-2021-018127 // CNNVD: CNNVD-202108-2714 // NVD: CVE-2021-34865

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-21-1051/

Trust: 3.1

url:https://kb.netgear.com/000063955/security-advisory-for-authentication-bypass-vulnerability-on-some-routers-psv-2021-0083?article=000063955

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-34865

Trust: 1.4

sources: ZDI: ZDI-21-1051 // VULMON: CVE-2021-34865 // JVNDB: JVNDB-2021-018127 // CNNVD: CNNVD-202108-2714 // NVD: CVE-2021-34865

CREDITS

1sd3d of VCS

Trust: 1.3

sources: ZDI: ZDI-21-1051 // CNNVD: CNNVD-202108-2714

SOURCES

db:ZDIid:ZDI-21-1051
db:VULMONid:CVE-2021-34865
db:JVNDBid:JVNDB-2021-018127
db:CNNVDid:CNNVD-202108-2714
db:NVDid:CVE-2021-34865

LAST UPDATE DATE

2024-08-14T15:17:07.475000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-1051date:2021-08-30T00:00:00
db:JVNDBid:JVNDB-2021-018127date:2023-03-31T08:45:00
db:CNNVDid:CNNVD-202108-2714date:2022-10-28T00:00:00
db:NVDid:CVE-2021-34865date:2022-10-27T11:53:26.290

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-1051date:2021-08-30T00:00:00
db:JVNDBid:JVNDB-2021-018127date:2023-03-31T00:00:00
db:CNNVDid:CNNVD-202108-2714date:2021-08-30T00:00:00
db:NVDid:CVE-2021-34865date:2022-01-25T16:15:08.383