PT-2021-17380 · NetGear · Netgear Prosafe Network Management System

Rgod

Published

2021-03-26

Updated

2021-03-30

CVE-2021-27276

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions NETGEAR ProSAFE Network Management System version 1.6.0.26

Description This issue allows remote attackers to delete arbitrary files on affected installations, potentially creating a denial-of-service condition. Although authentication is required, the existing mechanism can be bypassed. The flaw exists within the MibController class, specifically when parsing the realName parameter, which does not properly validate user-supplied paths before using them in file operations.

Recommendations For NETGEAR ProSAFE Network Management System version 1.6.0.26, consider restricting access to the MibController class until a patch is available. As a temporary workaround, avoid using the realName parameter in file operations to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-27276

ZDI-21-359

Affected Products

Netgear Prosafe Network Management System

PT-2021-17380 · NetGear · Netgear Prosafe Network Management System

CVE-2021-27276

Weakness Enumeration

Related Identifiers

Affected Products

References · 4