Link | Resource |
---|---|
https://kb.netgear.com/000062507/Security-Advisory-for-Unauthenticated-Command-Injection-Vulnerability-on-Some-Extenders-and-Orbi-WiFi-Systems | Vendor Advisory |
https://www.zerodayinitiative.com/advisories/ZDI-20-1430/ | Third Party Advisory VDB Entry |
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
Configuration 15 (hide)
AND |
|
Configuration 16 (hide)
AND |
|
Configuration 17 (hide)
AND |
|
Configuration 18 (hide)
AND |
|
Configuration 19 (hide)
AND |
|
Configuration 20 (hide)
AND |
|
Configuration 21 (hide)
AND |
|
Configuration 22 (hide)
AND |
|
Configuration 23 (hide)
AND |
|
Configuration 24 (hide)
AND |
|
Configuration 25 (hide)
AND |
|
Configuration 26 (hide)
AND |
|
Configuration 27 (hide)
AND |
|
Configuration 28 (hide)
AND |
|
Configuration 29 (hide)
AND |
|
Configuration 30 (hide)
AND |
|
Configuration 31 (hide)
AND |
|
Configuration 32 (hide)
AND |
|
12 Mar 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
Summary | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076. |
12 Mar 2021, 14:15
Type | Values Removed | Values Added |
---|---|---|
Summary | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076. |
16 Feb 2021, 19:19
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:netgear:rbk33_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk15_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk22:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk23_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk20_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk15:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk44:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk22_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk40_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:cbk40_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk12:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbs10_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbs50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk43_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk30:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk20w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:cbk43:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk14:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbr40:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk13_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk23:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:ex7700_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbs40:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbr20:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbr50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:cbr40_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:ex6200:v2:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk43_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk43:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk23w:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:cbk43_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk50:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk52w:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk20w:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbs50:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk43s_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbr50:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbs40_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk50v:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbr10_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk52w_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk50v_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbr10:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:ex8000_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:cbk40:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk43s:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk14_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk20_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk22_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:ex8000:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk23w_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk43s_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:ex7700:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk20:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk23_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk40_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk13:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbs10:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk33:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk12_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk30_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:ex6200_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:cbr40:-:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbk40:-:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbr40_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk44_router_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:netgear:rbk44_satellite_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:netgear:rbs20:-:*:*:*:*:*:*:* |
|
References | (MISC) https://kb.netgear.com/000062507/Security-Advisory-for-Unauthenticated-Command-Injection-Vulnerability-on-Some-Extenders-and-Orbi-WiFi-Systems - Vendor Advisory | |
References | (MISC) https://www.zerodayinitiative.com/advisories/ZDI-20-1430/ - Third Party Advisory, VDB Entry | |
CWE | CWE-78 | |
CVSS |
v2 : v3 : |
v2 : 8.3
v3 : 8.8 |
12 Feb 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Published : 2021-02-12 00:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-27861
Mitre link : CVE-2020-27861
CVE.ORG link : CVE-2020-27861
JSON object : View
netgear
- rbk14_firmware
- rbk23w_firmware
- rbk43
- rbk43s
- rbk12
- rbk40_satellite_firmware
- rbk20
- rbs10
- rbk23w
- rbk12_firmware
- rbk33_firmware
- rbr50
- rbs50
- rbr10_firmware
- rbk20_router_firmware
- rbk20_satellite_firmware
- rbk23_router_firmware
- rbk40
- rbr20_firmware
- rbs20_firmware
- rbk22
- cbk43_firmware
- ex6200_firmware
- rbk44_satellite_firmware
- rbr40
- cbr40
- ex7700
- rbr20
- rbr10
- rbk44
- rbk13_firmware
- rbk50v
- cbk40_firmware
- rbs10_firmware
- cbk43
- rbr40_firmware
- ex8000
- rbk50
- rbk43s_satellite_firmware
- rbk52w_firmware
- rbk44_router_firmware
- rbk50_firmware
- rbk30
- rbk40_router_firmware
- rbk20w_firmware
- rbs40_firmware
- rbk43_satellite_firmware
- rbk50v_firmware
- rbs40
- cbr40_firmware
- rbs20
- rbk43s_router_firmware
- rbs50_firmware
- rbr50_firmware
- ex7700_firmware
- cbk40
- rbk30_firmware
- ex6200
- rbk23
- rbk22_satellite_firmware
- rbk15
- rbk33
- rbk52w
- rbk23_satellite_firmware
- rbk43_router_firmware
- rbk13
- rbk15_firmware
- rbk20w
- ex8000_firmware
- rbk14
- rbk22_router_firmware
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')