CVE-2017-6334

Name of the Vulnerable Software and Affected Versions NETGEAR DGN2200 devices with firmware through 10.0.0.50

Description The issue exists due to the lack of neutralization of special elements used in the operating system command. This can be exploited by a remote attacker to execute arbitrary OS commands on the router and gain full control over the device by using metacharacters in the ping IPAddr parameter of a POST request or the host name field of an HTTP POST request in dnslookup.cgi.

Recommendations For NETGEAR DGN2200 devices with firmware through 10.0.0.50, consider restricting access to the dnslookup.cgi and ping.cgi scripts until a patch is available. As a temporary workaround, avoid using the host name field in the dnslookup.cgi HTTP POST request and the ping IPAddr parameter in the ping.cgi POST request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.