CVE-2020-28041 - OpenCVE

The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netgear	Nighthawk R7000 Nighthawk R7000 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:netgear:nighthawk_r7000_firmware:1.0.9.64_10.2.64:*:*:*:*:*:*:*

cpe:2.3:h:netgear:nighthawk_r7000:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/samyk/slipstream
https://news.ycombinator.com/item?id=24956616
https://news.ycombinator.com/item?id=24958281
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024
https://samy.pl/slipstream/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-11-01T03:29:13

Updated: 2024-08-04T16:33:56.894Z

Reserved: 2020-11-01T00:00:00

Link: CVE-2020-28041

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-02T21:15:31.257

Modified: 2022-10-19T17:17:59.807

Link: CVE-2020-28041

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-15T23:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=24956616"}, {"tags": ["x_refsource_MISC"], "url": "https://samy.pl/slipstream/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/samyk/slipstream"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=24958281"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-28041", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://news.ycombinator.com/item?id=24956616", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=24956616"}, {"name": "https://samy.pl/slipstream/", "refsource": "MISC", "url": "https://samy.pl/slipstream/"}, {"name": "https://github.com/samyk/slipstream", "refsource": "MISC", "url": "https://github.com/samyk/slipstream"}, {"name": "https://news.ycombinator.com/item?id=24958281", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=24958281"}, {"name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:33:56.894Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://news.ycombinator.com/item?id=24956616"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://samy.pl/slipstream/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/samyk/slipstream"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://news.ycombinator.com/item?id=24958281"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-28041", "datePublished": "2020-11-01T03:29:13", "dateReserved": "2020-11-01T00:00:00", "dateUpdated": "2024-08-04T16:33:56.894Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:nighthawk_r7000_firmware:1.0.9.64_10.2.64:*:*:*:*:*:*:*", "matchCriteriaId": "6DEBFC20-467D-43F5-9A93-DA5E8F8B497D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:nighthawk_r7000:-:*:*:*:*:*:*:*", "matchCriteriaId": "08C70B18-BC2B-4986-B969-319FAA7D0A5A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data."}, {"lang": "es", "value": "La implementaci\u00f3n de SIP ALG en dispositivos NETGEAR Nighthawk R7000 versi\u00f3n 1.0.9.64_10.2.64, permite a atacantes remotos comunicarse con servicios TCP y UDP arbitrarios en la m\u00e1quina de la intranet de la v\u00edctima, si la v\u00edctima visita un sitio web controlado por un atacante con un navegador moderno, tambi\u00e9n conocido como NAT Slipstreaming . Esto ocurre porque el ALG toma acci\u00f3n en base a un paquete IP con una subcadena REGISTER inicial en los datos TCP y la direcci\u00f3n IP de intranet correcta en el encabezado Via subsiguiente, sin considerar apropiadamente que el progreso de la conexi\u00f3n y la fragmentaci\u00f3n afectan el significado de los datos del paquete"}], "id": "CVE-2020-28041", "lastModified": "2022-10-19T17:17:59.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-02T21:15:31.257", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/samyk/slipstream"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=24956616"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=24958281"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://samy.pl/slipstream/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}