Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Adjacent_network
1

CVE-2020-10924

Disclosure Date: July 28, 2020
CVE-2020-10924 CVSS v3 Base Score: 8.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9643.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Gives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

This was a stack overflow vulnerability within the UPNP daemon (/usr/sbin/upnpd) of NETGEAR R6700v3 routers running firmware versions V1.0.2.62 up to but not including V1.0.4.94 that was exploited by Pedro Ribeiro and Radek Domanski of Team Flashback in 2019’s Pwn2Own Tokyo competition. Note that whilst this vulnerability does require authentication to exploit, attackers can easily bypass this requirement via CVE-2020-10923, as was done in the Pwn2Own competition.

Successful exploitation grants the attacker the ability to change memory and settings on the target device, which was used in the Pwn2Own competition, and in the Metasploit module that was subsequently created, to reset the admin password back to its factory default of password, thereby allowing attackers to enable Telnet on the target device and gain a shell as the root user.

As a Metasploit module for this vulnerability exists which reliably results in RCE as root, it is strongly recommended to apply patches for this vulnerability. Do however keep in mind that as this vulnerability relies on UPNP, it is likely that an attacker would still need to be within your local network in order to exploit this vulnerability, though if they do exploit it they will gain full control over the router itself, which could end up allowing them to either gain an initial foothold into your network, or potentially hop between networks.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
R6700 V1.0.4.84_10.0.58
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
auxiliary/admin/http/netgear_r6700_pass_reset
Reporter
Unknown

Vendors

  • netgear

Products

  • r6700 firmware 1.0.4.84 10.0.58

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis