ID

VAR-202111-0632


CVE

CVE-2021-34991


TITLE

NETGEAR R6400v2  Out-of-Bounds Write Vulnerability in Router

Trust: 0.8

sources: JVNDB: JVNDB-2021-015106

DESCRIPTION

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110. Zero Day Initiative To this vulnerability ZDI-CAN-14110 Was numbering.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. NETGEAR R6400v2 is a router from Netgear. A hardware device that connects two or more networks and acts as a gateway between the networks

Trust: 2.79

sources: NVD: CVE-2021-34991 // JVNDB: JVNDB-2021-015106 // ZDI: ZDI-21-1303 // CNVD: CNVD-2022-06693

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-06693

AFFECTED PRODUCTS

vendor:netgearmodel:r6400v2scope:ltversion:1.0.4.120

Trust: 1.6

vendor:netgearmodel:rs400scope:ltversion:1.5.1.80

Trust: 1.0

vendor:netgearmodel:rax20scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:r6400scope:ltversion:1.0.1.76

Trust: 1.0

vendor:netgearmodel:r8000scope:ltversion:1.0.4.76

Trust: 1.0

vendor:netgearmodel:rax43scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:wndr3400v3scope:ltversion:1.0.1.42

Trust: 1.0

vendor:netgearmodel:cax80scope:ltversion:2.1.3.5

Trust: 1.0

vendor:netgearmodel:rax35v2scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:r7000scope:ltversion:1.0.11.128

Trust: 1.0

vendor:netgearmodel:rax50scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:ex3700scope:ltversion:1.0.0.94

Trust: 1.0

vendor:netgearmodel:rax45scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:r7960pscope:ltversion:1.4.2.84

Trust: 1.0

vendor:netgearmodel:r8000pscope:ltversion:1.4.2.84

Trust: 1.0

vendor:netgearmodel:rax42scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:r7100lgscope:ltversion:1.0.0.72

Trust: 1.0

vendor:netgearmodel:r7850scope:ltversion:1.0.5.76

Trust: 1.0

vendor:netgearmodel:d7000v2scope:ltversion:1.0.0.76

Trust: 1.0

vendor:netgearmodel:r6900pscope:ltversion:1.3.3.142

Trust: 1.0

vendor:netgearmodel:d6220scope:ltversion:1.0.0.76

Trust: 1.0

vendor:netgearmodel:r7900pscope:ltversion:1.4.2.84

Trust: 1.0

vendor:netgearmodel:dc112ascope:ltversion:1.0.0.62

Trust: 1.0

vendor:netgearmodel:rax40v2scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:ex6130scope:ltversion:1.0.0.66

Trust: 1.0

vendor:netgearmodel:rax75scope:ltversion:1.0.5.132

Trust: 1.0

vendor:netgearmodel:dgn2200v4scope:ltversion:1.0.0.126

Trust: 1.0

vendor:netgearmodel:xr300scope:ltversion:1.0.3.68

Trust: 1.0

vendor:netgearmodel:r8300scope:ltversion:1.0.2.156

Trust: 1.0

vendor:netgearmodel:ex6120scope:ltversion:1.0.0.66

Trust: 1.0

vendor:netgearmodel:d6400scope:ltversion:1.0.0.108

Trust: 1.0

vendor:netgearmodel:rax15scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:r8500scope:ltversion:1.0.2.156

Trust: 1.0

vendor:netgearmodel:r6700v3scope:ltversion:1.0.4.120

Trust: 1.0

vendor:netgearmodel:rax38v2scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:rax48scope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:ex3800scope:ltversion:1.0.0.94

Trust: 1.0

vendor:netgearmodel:rax80scope:ltversion:1.0.5.132

Trust: 1.0

vendor:netgearmodel:rax50sscope:ltversion:1.0.4.100

Trust: 1.0

vendor:netgearmodel:r7000pscope:ltversion:1.3.3.142

Trust: 1.0

vendor:netgearmodel:rax200scope:ltversion:1.0.5.132

Trust: 1.0

vendor:netgearmodel:raxe450scope:ltversion:1.0.8.70

Trust: 1.0

vendor:netgearmodel:raxe500scope:ltversion:1.0.8.70

Trust: 1.0

vendor:netgearmodel:wnr3500lv2scope:ltversion:1.2.0.70

Trust: 1.0

vendor:ネットギアmodel:r6900pscope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6400v2scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6400scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:ex3700scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r7000scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r6700v3scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:ex6120scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:ex3800scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:ex6130scope: - version: -

Trust: 0.8

vendor:ネットギアmodel:r7000pscope: - version: -

Trust: 0.8

vendor:netgearmodel:r6400v2scope: - version: -

Trust: 0.7

sources: ZDI: ZDI-21-1303 // CNVD: CNVD-2022-06693 // JVNDB: JVNDB-2021-015106 // NVD: CVE-2021-34991

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-34991
value: HIGH

Trust: 1.0

zdi-disclosures@trendmicro.com: CVE-2021-34991
value: HIGH

Trust: 1.0

NVD: CVE-2021-34991
value: HIGH

Trust: 0.8

ZDI: CVE-2021-34991
value: HIGH

Trust: 0.7

CNVD: CNVD-2022-06693
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202111-1078
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-34991
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-06693
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2021-34991
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2021-34991
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ZDI: CVE-2021-34991
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-21-1303 // CNVD: CNVD-2022-06693 // JVNDB: JVNDB-2021-015106 // CNNVD: CNNVD-202111-1078 // NVD: CVE-2021-34991 // NVD: CVE-2021-34991

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-015106 // NVD: CVE-2021-34991

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202111-1078

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202111-1078

PATCH

title:Security Advisory for Pre-Authentication Buffer Overflow on Multiple Products, PSV-2021-0168url:https://kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168

Trust: 1.5

title:Patch for NETGEAR R6400v2 Buffer Overflow Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/315991

Trust: 0.6

title:NETGEAR R6400v2 Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170297

Trust: 0.6

sources: ZDI: ZDI-21-1303 // CNVD: CNVD-2022-06693 // JVNDB: JVNDB-2021-015106 // CNNVD: CNNVD-202111-1078

EXTERNAL IDS

db:NVDid:CVE-2021-34991

Trust: 4.5

db:ZDIid:ZDI-21-1303

Trust: 3.7

db:JVNDBid:JVNDB-2021-015106

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-14110

Trust: 0.7

db:CNVDid:CNVD-2022-06693

Trust: 0.6

db:CNNVDid:CNNVD-202111-1078

Trust: 0.6

sources: ZDI: ZDI-21-1303 // CNVD: CNVD-2022-06693 // JVNDB: JVNDB-2021-015106 // CNNVD: CNNVD-202111-1078 // NVD: CVE-2021-34991

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-21-1303/

Trust: 3.6

url:https://kb.netgear.com/000064361/security-advisory-for-pre-authentication-buffer-overflow-on-multiple-products-psv-2021-0168

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-34991

Trust: 1.4

sources: ZDI: ZDI-21-1303 // CNVD: CNVD-2022-06693 // JVNDB: JVNDB-2021-015106 // CNNVD: CNNVD-202111-1078 // NVD: CVE-2021-34991

CREDITS

anonymous

Trust: 0.7

sources: ZDI: ZDI-21-1303

SOURCES

db:ZDIid:ZDI-21-1303
db:CNVDid:CNVD-2022-06693
db:JVNDBid:JVNDB-2021-015106
db:CNNVDid:CNNVD-202111-1078
db:NVDid:CVE-2021-34991

LAST UPDATE DATE

2024-08-14T14:25:08.117000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-1303date:2021-12-23T00:00:00
db:CNVDid:CNVD-2022-06693date:2022-01-25T00:00:00
db:JVNDBid:JVNDB-2021-015106date:2022-11-09T07:46:00
db:CNNVDid:CNNVD-202111-1078date:2021-11-24T00:00:00
db:NVDid:CVE-2021-34991date:2021-11-17T16:33:07.393

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-1303date:2021-11-11T00:00:00
db:CNVDid:CNVD-2022-06693date:2022-01-25T00:00:00
db:JVNDBid:JVNDB-2021-015106date:2022-11-09T00:00:00
db:CNNVDid:CNNVD-202111-1078date:2021-11-11T00:00:00
db:NVDid:CVE-2021-34991date:2021-11-15T16:15:09.547