CVE-2021-34991

Name of the Vulnerable Software and Affected Versions NETGEAR routers versions EX3700, EX3800, EX6120, EX6130, R6400, R6400v2, R6700v3, R6900P, R7000, R7000P, R7100LG, R7850, R7900P, R7960P, R8000, R8000P, R8300, R8500, RAX15, RAX20, RAX200, RAX35v2, RAX38v2, RAX40v2, RAX42, RAX43, RAX45, RAX48, RAX50, RAX50S, RAX75, RAX80, RAXE450, RAXE500, RS400, WNDR3400v3, WNR3500Lv2, XR300 NETGEAR DSL modem routers versions D6220, D6400, D7000v2, DGN2200v4 NETGEAR AirCards version DC112A NETGEAR cable modem version CAX80

Description The issue is related to a buffer overflow in the stack of the UPnP service in NETGEAR devices. This can be exploited by a remote attacker to execute arbitrary code. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. The problem is associated with the upnpd daemon functions related to handling unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients.

Recommendations For NETGEAR routers versions EX3700, EX3800, EX6120, EX6130, R6400, R6400v2, R6700v3, R6900P, R7000, R7000P, R7100LG, R7850, R7900P, R7960P, R8000, R8000P, R8300, R8500, RAX15, RAX20, RAX200, RAX35v2, RAX38v2, RAX40v2, RAX42, RAX43, RAX45, RAX48, RAX50, RAX50S, RAX75, RAX80, RAXE450, RAXE500, RS400, WNDR3400v3, WNR3500Lv2, XR300: update to a patched version. For NETGEAR DSL modem routers versions D6220, D6400, D7000v2, DGN2200v4: update to a patched version. For NETGEAR AirCards version DC112A: update to a patched version. For NETGEAR cable modem version CAX80: update to a patched version. As a temporary workaround, consider disabling the UPnP service until a patch is available. Restrict access to the vulnerable upnpd daemon to minimize the risk of exploitation. Avoid using the uuid request header in the affected API endpoint until the issue is resolved.