CVE-2020-27861

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-27861
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.3 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:A/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 6.5 / Impact : 10.0

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
https://kb.netgear.com/000062507/Security-Advisory-for-Unauthenticated-Command-Injection-Vulnerability-on-Some-Extenders-and-Orbi-WiFi-Systems Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-1430/ Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:netgear:cbk40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:cbk40:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:netgear:cbk43_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:cbk43:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:netgear:cbr40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:cbr40:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:netgear:ex6200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:ex6200:v2:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:netgear:ex7700_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:ex7700:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:netgear:ex8000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:ex8000:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:netgear:rbk12_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk12:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:netgear:rbk13_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk13:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:netgear:rbk14_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk14:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:netgear:rbk15_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk15:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:netgear:rbr10_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr10:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:netgear:rbs10_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs10:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:netgear:rbk20w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk20w:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:netgear:rbk23w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk23w:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
OR cpe:2.3:o:netgear:rbk20_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk20_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk20:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
OR cpe:2.3:o:netgear:rbk22_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk22_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk22:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
OR cpe:2.3:o:netgear:rbk23_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk23_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk23:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr20:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs20:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:netgear:rbk30_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk30:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND
cpe:2.3:o:netgear:rbk33_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk33:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND
OR cpe:2.3:o:netgear:rbk40_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk40_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk40:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND
OR cpe:2.3:o:netgear:rbk43_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk43_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk43:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND
OR cpe:2.3:o:netgear:rbk43s_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk43s_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk43s:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND
OR cpe:2.3:o:netgear:rbk44_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk44_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk44:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND
cpe:2.3:o:netgear:rbr40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr40:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND
cpe:2.3:o:netgear:rbs40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs40:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND
cpe:2.3:o:netgear:rbk50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk50:-:*:*:*:*:*:*:*

Configuration 29 (hide)

AND
cpe:2.3:o:netgear:rbk50v_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk50v:-:*:*:*:*:*:*:*

Configuration 30 (hide)

AND
cpe:2.3:o:netgear:rbk52w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk52w:-:*:*:*:*:*:*:*

Configuration 31 (hide)

AND
cpe:2.3:o:netgear:rbr50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr50:-:*:*:*:*:*:*:*

Configuration 32 (hide)

AND
cpe:2.3:o:netgear:rbs50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs50:-:*:*:*:*:*:*:*
History

12 Mar 2021, 15:15

Type Values Removed Values Added
Summary This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076.

12 Mar 2021, 14:15

Type Values Removed Values Added
Summary This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076.

16 Feb 2021, 19:19

Type Values Removed Values Added
CPE cpe:2.3:o:netgear:rbk33_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk15_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk22:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk23_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk20_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk15:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk44:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk22_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk40_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:cbk40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk12:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbs10_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbs50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk43_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk30:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk20w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:cbk43:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk14:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr40:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk13_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk23:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:ex7700_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs40:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr20:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbr50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:cbr40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:ex6200:v2:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk43_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk43:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk23w:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:cbk43_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk50:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk52w:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk20w:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs50:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk43s_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr50:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbs40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk50v:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbr10_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk52w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk50v_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbr10:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:ex8000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:cbk40:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk43s:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk14_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk20_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk22_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:ex8000:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk23w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk43s_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:ex7700:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk20:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk23_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk40_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk13:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs10:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk33:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk12_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk30_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:ex6200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:cbr40:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbk40:-:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbr40_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk44_router_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:netgear:rbk44_satellite_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:netgear:rbs20:-:*:*:*:*:*:*:*
References (MISC) https://kb.netgear.com/000062507/Security-Advisory-for-Unauthenticated-Command-Injection-Vulnerability-on-Some-Extenders-and-Orbi-WiFi-Systems - (MISC) https://kb.netgear.com/000062507/Security-Advisory-for-Unauthenticated-Command-Injection-Vulnerability-on-Some-Extenders-and-Orbi-WiFi-Systems - Vendor Advisory
References (MISC) https://www.zerodayinitiative.com/advisories/ZDI-20-1430/ - (MISC) https://www.zerodayinitiative.com/advisories/ZDI-20-1430/ - Third Party Advisory, VDB Entry
CWE CWE-78
CVSS v2 : unknown
v3 : unknown 		v2 : 8.3
v3 : 8.8

12 Feb 2021, 00:15

Type Values Removed Values Added
New CVE
Information

Published : 2021-02-12 00:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-27861

Mitre link : CVE-2020-27861

CVE.ORG link : CVE-2020-27861

JSON object : View

Products Affected

netgear

  • rbk14_firmware
  • rbk23w_firmware
  • rbk43
  • rbk43s
  • rbk12
  • rbk40_satellite_firmware
  • rbk20
  • rbs10
  • rbk23w
  • rbk12_firmware
  • rbk33_firmware
  • rbr50
  • rbs50
  • rbr10_firmware
  • rbk20_router_firmware
  • rbk20_satellite_firmware
  • rbk23_router_firmware
  • rbk40
  • rbr20_firmware
  • rbs20_firmware
  • rbk22
  • cbk43_firmware
  • ex6200_firmware
  • rbk44_satellite_firmware
  • rbr40
  • cbr40
  • ex7700
  • rbr20
  • rbr10
  • rbk44
  • rbk13_firmware
  • rbk50v
  • cbk40_firmware
  • rbs10_firmware
  • cbk43
  • rbr40_firmware
  • ex8000
  • rbk50
  • rbk43s_satellite_firmware
  • rbk52w_firmware
  • rbk44_router_firmware
  • rbk50_firmware
  • rbk30
  • rbk40_router_firmware
  • rbk20w_firmware
  • rbs40_firmware
  • rbk43_satellite_firmware
  • rbk50v_firmware
  • rbs40
  • cbr40_firmware
  • rbs20
  • rbk43s_router_firmware
  • rbs50_firmware
  • rbr50_firmware
  • ex7700_firmware
  • cbk40
  • rbk30_firmware
  • ex6200
  • rbk23
  • rbk22_satellite_firmware
  • rbk15
  • rbk33
  • rbk52w
  • rbk23_satellite_firmware
  • rbk43_router_firmware
  • rbk13
  • rbk15_firmware
  • rbk20w
  • ex8000_firmware
  • rbk14
  • rbk22_router_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')