Severity.io | CVE-2021-29078

Description

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, RBS850 before 3.2.17.12, RBK752 before 3.2.17.12, RBK753 before 3.2.17.12, RBK753S before 3.2.17.12, RBK754 before 3.2.17.12, RBR750 before 3.2.17.12, and RBS750 before 3.2.17.12.

Related CPE's

o netgear rbk852_firmware ********

h netgear rbk852 -*******

o netgear rbk853_firmware ********

h netgear rbk853 -*******

o netgear rbk854_firmware ********

h netgear rbk854 -*******

o netgear rbr850_firmware ********

h netgear rbr850 -*******

o netgear rbs850_firmware ********

h netgear rbs850 -*******

References

https://kb.netgear.com/000063009/Security-Advisory-for-Pre-Authentication-Command-Injection-on-Some-WiFi-Systems-PSV-2020-0511

Vendor Advisory

CvssV3 impact

Version	3.1
VectorString	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AttackVector	ADJACENT_NETWORK
AttackComplexity	LOW
PrivilegesRequired	NONE
UserInteraction	NONE
Scope	CHANGED
ConfidentialityImpact	HIGH
IntegrityImpact	HIGH
AvailabilityImpact	HIGH
BaseScore	9.6
BaseSeverity	CRITICAL

CvssV2 impact

Version	2.0
VectorString	AV:A/AC:L/Au:N/C:P/I:P/A:P
AccessVector	ADJACENT_NETWORK
AccessComplexity	LOW
Authentication	NONE
ConfidentialityImpact	PARTIAL
IntegrityImpact	PARTIAL
AvailabilityImpact	PARTIAL
BaseScore	5.8