{"containers": {"cna": {"affected": [{"product": "Multiple Routers", "vendor": "NETGEAR", "versions": [{"status": "affected", "version": "firmware version 1.2.0.62_1.0.1"}]}], "credits": [{"lang": "en", "value": "1sd3d"}], "descriptions": [{"lang": "en", "value": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. When parsing the funjsq_access_token parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11653."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77: Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-12T13:57:49", "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1423/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "zdi-disclosures@trendmicro.com", "ID": "CVE-2020-27867", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Multiple Routers", "version": {"version_data": [{"version_value": "firmware version 1.2.0.62_1.0.1"}]}}]}, "vendor_name": "NETGEAR"}]}}, "credit": "1sd3d", "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. When parsing the funjsq_access_token parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11653."}]}, "impact": {"cvss": {"vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-77: Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers", "refsource": "MISC", "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-1423/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1423/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:25:43.694Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1423/"}]}]}, "cveMetadata": {"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "assignerShortName": "zdi", "cveId": "CVE-2020-27867", "datePublished": "2021-02-11T23:35:40", "dateReserved": "2020-10-27T00:00:00", "dateUpdated": "2024-08-04T16:25:43.694Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ac2100_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AB0B236-6BC6-4E99-8792-6B01BD591D3A", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ac2100:-:*:*:*:*:*:*:*", "matchCriteriaId": "A80B06A1-81B5-4C33-89F6-EC3F6E3068B5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ac2400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B01C772-D1D4-41F1-A33D-72A6A672502A", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ac2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "6B25A18F-DD96-45FE-B098-71E60CB0FFFE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:ac2600_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA359610-21DC-41C4-9430-8406B34490EB", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:ac2600:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BFCD9A8-1846-48C4-9F14-3866E983FB74", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6700_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0FCF958-2F6A-4B79-B307-2FE23B7CE8FC", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6700:v2:*:*:*:*:*:*:*", "matchCriteriaId": "9F9706E6-CA53-43E4-91B0-D52655C86860", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6800_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA434604-4916-4830-A96B-CEC0C8E5A1A0", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6800:-:*:*:*:*:*:*:*", "matchCriteriaId": "09404083-B00B-4C1F-8085-BC242E625CA3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6900_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E9457F1-F5E8-43CA-8697-3849E140B0CC", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6900:v2:*:*:*:*:*:*:*", "matchCriteriaId": "2E8EB69B-6619-47B6-A073-D0B840D4EB0B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r7200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D95583A-EC79-41FF-9496-DAB19A1A34DB", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r7200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FECB83F9-D417-4FD3-B293-87BC177E3AEB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r7350_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "53B1B947-2E36-463C-848F-C5F5C0A5ECAF", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r7350:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFD1A65C-F10F-4C52-8B6D-69992E512EB5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r7400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A188F6E-5296-4511-97F2-9328B1E1F6CF", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r7400:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F68AC3B-A31F-4AB0-89E9-BFFDE427AD3B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r7450_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "33043216-4563-4195-88D7-93446302ECD1", "versionEndExcluding": "1.2.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r7450:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DA5420D-DD64-4A9C-9B5F-784F0ED2B464", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6220_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E662BF37-5D81-4B9F-898E-F91B09821555", "versionEndExcluding": "1.1.0.104", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6220:-:*:*:*:*:*:*:*", "matchCriteriaId": "B131B5C8-CB7F-433B-BA32-F05CE0E92A66", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6230_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CD4B6F1-E58F-4B96-BF51-729F59FA1C8B", "versionEndExcluding": "1.1.0.104", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6230:-:*:*:*:*:*:*:*", "matchCriteriaId": "C91CADFA-59DB-4B6C-A914-848884F4A4BD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6260_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "33824B9B-1224-484A-AFF4-953573F299C6", "versionEndExcluding": "1.1.0.78", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6260:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C395D49-57F9-4BC1-8619-57127355B86B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6330_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBA2E978-FFF7-470D-90BA-4DBDC009B076", "versionEndExcluding": "1.1.0.78", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6330:-:*:*:*:*:*:*:*", "matchCriteriaId": "D621D26D-B144-424A-A9CB-19488399ACC1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6350_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2AE3CE4-23B0-467E-B522-A211048D6AF3", "versionEndExcluding": "1.1.0.78", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6350:-:*:*:*:*:*:*:*", "matchCriteriaId": "4B302909-29CF-4E53-9CCB-8664D3FCB03A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6850_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "612DAD20-761D-41D5-A6AB-AA9975847D34", "versionEndExcluding": "1.1.0.78", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6850:-:*:*:*:*:*:*:*", "matchCriteriaId": "598B48C5-4706-4431-8C5A-DA496DD1052F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6120_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B373C515-681A-4D80-9BFD-5E2DFD6F2DF0", "versionEndExcluding": "1.0.0.76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6120:-:*:*:*:*:*:*:*", "matchCriteriaId": "D18D2CCD-424F-41D5-919B-E22B9FA68D36", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6020_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EC58A4B-E061-49ED-BB2D-E0497846DBEE", "versionEndExcluding": "1.0.0.48", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6020:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DDA7ABF-4C4B-4945-993A-F93BD8FCB55E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:r6080_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF9D1B97-7FF8-45D9-BFD6-72554BBB6008", "versionEndExcluding": "1.0.0.48", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:r6080:-:*:*:*:*:*:*:*", "matchCriteriaId": "1CEB5C49-53CF-44AE-9A7D-E7E6201BFE62", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. When parsing the funjsq_access_token parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11653."}, {"lang": "es", "value": "Esta vulnerabilidad permite a los atacantes adyacentes a la red ejecutar c\u00f3digo arbitrario en las instalaciones afectadas de los routers NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100 y Nighthawk AC2400. Aunque la autenticaci\u00f3n es necesaria para explotar esta vulnerabilidad, el mecanismo de autenticaci\u00f3n existente puede ser evitado. El fallo espec\u00edfico existe en el servicio mini_httpd, que escucha en el puerto TCP 80 por defecto. Al analizar el par\u00e1metro funjsq_access_token, el proceso no valida correctamente una cadena suministrada por el usuario antes de utilizarla para ejecutar una llamada al sistema. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto de root. Era ZDI-CAN-11653"}], "id": "CVE-2020-27867", "lastModified": "2024-11-21T05:21:57.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.7, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-12T00:15:12.970", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Vendor Advisory"], "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1423/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://kb.netgear.com/000062641/Security-Advisory-for-Password-Recovery-Vulnerabilities-on-Some-Routers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1423/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{}