CVE-2022-27643

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15692.

CVSS v3.0 8.8 HIGH

8.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-519/	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6400:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6400:v2:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:netgear:r6700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6700:v3:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:netgear:r6900p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6900p:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7000:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:netgear:r7000p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7000p:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:netgear:r7850_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7850:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:netgear:r7900p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7900p:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:netgear:r7960p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7960p:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:netgear:r8000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8000:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:netgear:r8000p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8000p:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:netgear:r8500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8500:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:netgear:rax200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax200:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:netgear:rax75_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax75:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:netgear:rax80_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax80:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:netgear:rs400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rs400:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:netgear:r7100lg_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7100lg:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:netgear:wndr3400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wndr3400:v3:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:netgear:wnr3500l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wnr3500l:v2:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:netgear:xr300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:xr300:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:netgear:dc112a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:dc112a:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:netgear:d6220_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d6220:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:netgear:d6400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d6400:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND

cpe:2.3:o:netgear:ex3700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex3700:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND

cpe:2.3:o:netgear:ex3800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex3800:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND

cpe:2.3:o:netgear:ex6120_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex6120:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND

cpe:2.3:o:netgear:ex6130_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex6130:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND

cpe:2.3:o:netgear:d7000v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d7000v2:-:*:*:*:*:*:*:*

History

05 Apr 2023, 15:06

Type	Values Removed	Values Added
First Time		Netgear ex3800 Firmware Netgear r6400 Netgear rax75 Netgear rax75 Firmware Netgear r7000p Firmware Netgear xr300 Netgear d6220 Netgear r7000p Netgear rax200 Netgear ex6130 Netgear d7000v2 Firmware Netgear rax80 Firmware Netgear r8000p Netgear wnr3500l Firmware Netgear r6900p Netgear r8000 Firmware Netgear r7850 Firmware Netgear r6700 Netgear r7100lg Firmware Netgear ex6120 Firmware Netgear r7100lg Netgear rs400 Netgear d6400 Netgear r7960p Netgear ex3700 Netgear Netgear r6900p Firmware Netgear rax80 Netgear dc112a Firmware Netgear r8500 Firmware Netgear rax200 Firmware Netgear rs400 Firmware Netgear r8000p Firmware Netgear wnr3500l Netgear r8500 Netgear r7000 Netgear r7850 Netgear ex6120 Netgear wndr3400 Firmware Netgear d7000v2 Netgear r8000 Netgear r7900p Netgear r6400 Firmware Netgear xr300 Firmware Netgear wndr3400 Netgear d6400 Firmware Netgear r7900p Firmware Netgear ex3800 Netgear r6700 Firmware Netgear ex3700 Firmware Netgear dc112a Netgear r7960p Firmware Netgear d6220 Firmware Netgear ex6130 Firmware Netgear r7000 Firmware
CPE		cpe:2.3:h:netgear:ex3700:-:::::::* cpe:2.3:h:netgear:r6400:-:::::::* cpe:2.3:o:netgear:r7000p_firmware:::::::: cpe:2.3:h:netgear:r6700:v3:::::::* cpe:2.3:h:netgear:ex6130:-:::::::* cpe:2.3:o:netgear:d6220_firmware:::::::: cpe:2.3:o:netgear:rax200_firmware:::::::: cpe:2.3:h:netgear:wnr3500l:v2:::::::* cpe:2.3:h:netgear:d6400:-:::::::* cpe:2.3:o:netgear:ex6130_firmware:::::::: cpe:2.3:h:netgear:d7000v2:-:::::::* cpe:2.3:h:netgear:r7000p:-:::::::* cpe:2.3:o:netgear:r7100lg_firmware:::::::: cpe:2.3:h:netgear:r8000p:-:::::::* cpe:2.3:h:netgear:r7960p:-:::::::* cpe:2.3:o:netgear:ex3700_firmware:::::::: cpe:2.3:o:netgear:rax75_firmware:::::::: cpe:2.3:h:netgear:r6900p:-:::::::* cpe:2.3:o:netgear:r6400_firmware:::::::: cpe:2.3:o:netgear:dc112a_firmware:::::::: cpe:2.3:h:netgear:r7900p:-:::::::* cpe:2.3:h:netgear:r8500:-:::::::* cpe:2.3:h:netgear:r8000:-:::::::* cpe:2.3:h:netgear:wndr3400:v3:::::::* cpe:2.3:o:netgear:r7850_firmware:::::::: cpe:2.3:o:netgear:r7000_firmware:::::::: cpe:2.3:o:netgear:r6900p_firmware:::::::: cpe:2.3:h:netgear:r7850:-:::::::* cpe:2.3:o:netgear:wnr3500l_firmware:::::::: cpe:2.3:o:netgear:r8500_firmware:::::::: cpe:2.3:o:netgear:r8000p_firmware:::::::: cpe:2.3:h:netgear:xr300:-:::::::* cpe:2.3:h:netgear:rax80:-:::::::* cpe:2.3:h:netgear:ex3800:-:::::::* cpe:2.3:o:netgear:d7000v2_firmware:::::::: cpe:2.3:o:netgear:r8000_firmware:::::::: cpe:2.3:o:netgear:r6700_firmware:::::::: cpe:2.3:h:netgear:ex6120:-:::::::* cpe:2.3:o:netgear:ex6120_firmware:::::::: cpe:2.3:o:netgear:wndr3400_firmware:::::::: cpe:2.3:o:netgear:r7960p_firmware:::::::: cpe:2.3:o:netgear:ex3800_firmware:::::::: cpe:2.3:h:netgear:rax200:-:::::::* cpe:2.3:o:netgear:d6400_firmware:::::::: cpe:2.3:h:netgear:d6220:-:::::::* cpe:2.3:h:netgear:r7000:-:::::::* cpe:2.3:o:netgear:xr300_firmware:::::::: cpe:2.3:o:netgear:rax80_firmware:::::::: cpe:2.3:h:netgear:r7100lg:-:::::::* cpe:2.3:h:netgear:rax75:-:::::::* cpe:2.3:h:netgear:r6400:v2:::::::* cpe:2.3:h:netgear:rs400:-:::::::* cpe:2.3:o:netgear:rs400_firmware:::::::: cpe:2.3:h:netgear:dc112a:-:::::::* cpe:2.3:o:netgear:r7900p_firmware::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~(MISC) https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323 -~~	(MISC) https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323 - Vendor Advisory
References	~~(MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-519/ -~~	(MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-519/ - Third Party Advisory, VDB Entry

29 Mar 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-03-29 19:15

Updated : 2023-04-05 15:06

NVD link : CVE-2022-27643

Mitre link : CVE-2022-27643

CVE.ORG link : CVE-2022-27643

JSON object : View

Products Affected

netgear

r8000
r7850
ex6120
dc112a
rax75_firmware
r7850_firmware
rax80
d7000v2
r6400_firmware
d6220_firmware
r6700_firmware
r8500
r7000p
d6400_firmware
r7100lg
xr300_firmware
r8000_firmware
wndr3400_firmware
r6700
d6400
ex6130
rax80_firmware
ex3800_firmware
r7000_firmware
d7000v2_firmware
r6400
r6900p_firmware
r7960p
r8000p_firmware
r7960p_firmware
ex6130_firmware
rs400_firmware
r7000p_firmware
ex6120_firmware
rs400
rax200_firmware
r7000
r8000p
r6900p
r7100lg_firmware
xr300
ex3700_firmware
ex3800
wndr3400
r8500_firmware
rax200
ex3700
rax75
d6220
r7900p_firmware
dc112a_firmware
wnr3500l
r7900p
wnr3500l_firmware

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

8.8 /10