PT-2017-1109 · NetGear · Dgn2200V4+30

Simon Kenin

·

Published

2017-01-17

·

Updated

2025-01-22

·

CVE-2017-5521

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions NETGEAR R8500 versions (affected versions not specified) NETGEAR R8300 versions (affected versions not specified) NETGEAR R7000 versions (affected versions not specified) NETGEAR R6400 versions (affected versions not specified) NETGEAR R7300 versions (affected versions not specified) NETGEAR R7100LG versions (affected versions not specified) NETGEAR R6300v2 versions (affected versions not specified) NETGEAR WNDR3400v3 versions (affected versions not specified) NETGEAR WNR3500Lv2 versions (affected versions not specified) NETGEAR R6250 versions (affected versions not specified) NETGEAR R6700 versions (affected versions not specified) NETGEAR R6900 versions (affected versions not specified) NETGEAR R8000 versions (affected versions not specified) NETGEAR R7900 versions (affected versions not specified) NETGEAR WNDR4500v2 versions (affected versions not specified) NETGEAR R6200v2 versions (affected versions not specified) NETGEAR WNDR3400v2 versions (affected versions not specified) NETGEAR D6220 versions (affected versions not specified) NETGEAR D6400 versions (affected versions not specified) NETGEAR C6300 versions (affected versions not specified) NETGEAR R6200 versions (affected versions not specified) NETGEAR R6300 versions (affected versions not specified) NETGEAR VENG2610 versions (affected versions not specified) NETGEAR AC1450 versions (affected versions not specified) NETGEAR WNDR1000v3 versions (affected versions not specified) NETGEAR WNDR3700v3 versions (affected versions not specified) NETGEAR WNDR4000 versions (affected versions not specified) NETGEAR WNDR4500 versions (affected versions not specified) NETGEAR D6300 versions (affected versions not specified) NETGEAR D6300B versions (affected versions not specified) NETGEAR DGN2200Bv4 versions (affected versions not specified) NETGEAR DGN2200v4 versions (affected versions not specified)
Description The issue is related to password disclosure via simple crafted requests to the web management server. It can be exploited remotely if the remote management option is set, or given access to the router over LAN or WLAN. When trying to access the web panel, a user is asked to authenticate; if the authentication is canceled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page "/passwordrecovered.cgi?id=TOKEN" (and password recovery is not enabled), they will receive the admin password for the router. The id variable in the "/passwordrecovered.cgi" endpoint is used to supply the token. If password recovery is set, the exploit will fail, as it will ask the user for the recovery questions that were previously set when enabling that feature.
Recommendations As a temporary workaround, consider disabling the remote management option to minimize the risk of exploitation. Restrict access to the "/passwordrecovered.cgi" endpoint to minimize the risk of exploitation. Avoid using the id variable in the "/passwordrecovered.cgi" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Weakness Enumeration

CWE-200

Related Identifiers

BDU:2017-00203
CVE-2017-5521

Affected Products

Ac1450
C6300
D6220
D6300
D6300B
D6400
Dgn2200V4
R6200
R6200V2
R6250
R6300
R6300V2
R6400
R6700
R6900
R7000
R7100Lg
R7300
R7900
R8000
R8300
R8500
Veng2610
Wnr1000V3
Wndr3400V2
Wndr3400V3
Wndr3700V3
Wndr4000
Wndr4500
Wndr4500V2
Wnr3500Lv2