Severity.io | CVE-2021-29067

Description

Certain NETGEAR devices are affected by authentication bypass. This affects RBW30 before 2.6.2.2, RBS40V before 2.6.2.4, RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, RBS850 before 3.2.17.12, RBK752 before 3.2.17.12, RBK753 before 3.2.17.12, RBK753S before 3.2.17.12, RBK754 before 3.2.17.12, RBR750 before 3.2.17.12, and RBS750 before 3.2.17.12.

Related CPE's

o netgear rbw30_firmware ********

h netgear rbw30 -*******

o netgear rbs40v_firmware ********

h netgear rbs40v -*******

o netgear rbk852_firmware ********

h netgear rbk852 -*******

o netgear rbk853_firmware ********

h netgear rbk853 -*******

o netgear rbk854_firmware ********

h netgear rbk854 -*******

References

https://kb.netgear.com/000063017/Security-Advisory-for-Authentication-Bypass-on-Some-WiFi-Systems-PSV-2020-0492

Vendor Advisory

CvssV3 impact

BaseSeverity	CRITICAL
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	CHANGED
AttackVector	ADJACENT_NETWORK
AvailabilityImpact	HIGH
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	9.6
VectorString	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version	3.1
UserInteraction	NONE

CvssV2 impact

AccessComplexity	LOW
ConfidentialityImpact	COMPLETE
AvailabilityImpact	COMPLETE
IntegrityImpact	COMPLETE
BaseScore	8.3
VectorString	AV:A/AC:L/Au:N/C:C/I:C/A:C
Version	2.0
AccessVector	ADJACENT_NETWORK
Authentication	NONE