CVE-2021-33514

Name of the Vulnerable Software and Affected Versions NETGEAR GC108P versions prior to 1.0.7.3 NETGEAR GC108PP versions prior to 1.0.7.3 NETGEAR GS108Tv3 versions prior to 7.0.6.3 NETGEAR GS110TPPv1 versions prior to 7.0.6.3 NETGEAR GS110TPv3 versions prior to 7.0.6.3 NETGEAR GS110TUPv1 versions prior to 1.0.4.3 NETGEAR GS710TUPv1 versions prior to 1.0.4.3 NETGEAR GS716TP versions prior to 1.0.2.3 NETGEAR GS716TPP versions prior to 1.0.2.3 NETGEAR GS724TPPv1 versions prior to 2.0.4.3 NETGEAR GS724TPv2 versions prior to 2.0.4.3 NETGEAR GS728TPPv2 versions prior to 6.0.6.3 NETGEAR GS728TPv2 versions prior to 6.0.6.3 NETGEAR GS752TPPv1 versions prior to 6.0.6.3 NETGEAR GS752TPv2 versions prior to 6.0.6.3 NETGEAR MS510TXM versions prior to 1.0.2.3 NETGEAR MS510TXUP versions prior to 1.0.2.3

Description The issue is related to command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application. This can be demonstrated by setup.cgi?token=';$HTTP USER AGENT;' with an OS command in the User-Agent field.

Recommendations For NETGEAR GC108P versions prior to 1.0.7.3, update to version 1.0.7.3 or later. For NETGEAR GC108PP versions prior to 1.0.7.3, update to version 1.0.7.3 or later. For NETGEAR GS108Tv3 versions prior to 7.0.6.3, update to version 7.0.6.3 or later. For NETGEAR GS110TPPv1 versions prior to 7.0.6.3, update to version 7.0.6.3 or later. For NETGEAR GS110TPv3 versions prior to 7.0.6.3, update to version 7.0.6.3 or later. For NETGEAR GS110TUPv1 versions prior to 1.0.4.3, update to version 1.0.4.3 or later. For NETGEAR GS710TUPv1 versions prior to 1.0.4.3, update to version 1.0.4.3 or later. For NETGEAR GS716TP versions prior to 1.0.2.3, update to version 1.0.2.3 or later. For NETGEAR GS716TPP versions prior to 1.0.2.3, update to version 1.0.2.3 or later. For NETGEAR GS724TPPv1 versions prior to 2.0.4.3, update to version 2.0.4.3 or later. For NETGEAR GS724TPv2 versions prior to 2.0.4.3, update to version 2.0.4.3 or later. For NETGEAR GS728TPPv2 versions prior to 6.0.6.3, update to version 6.0.6.3 or later. For NETGEAR GS728TPv2 versions prior to 6.0.6.3, update to version 6.0.6.3 or later. For NETGEAR GS752TPPv1 versions prior to 6.0.6.3, update to version 6.0.6.3 or later. For NETGEAR GS752TPv2 versions prior to 6.0.6.3, update to version 6.0.6.3 or later. For NETGEAR MS510TXM versions prior to 1.0.2.3, update to version 1.0.2.3 or later. For NETGEAR MS510TXUP versions prior to 1.0.2.3, update to version 1.0.2.3 or later. As a temporary workaround, consider restricting access to the vulnerable "setup.cgi" API endpoint until a patch is available. Avoid using the HTTP USER AGENT variable in the affected API endpoint until the issue is resolved.