CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2017-5521

An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When trying to access the web panel, a user is asked to authenticate; if the authentication is canceled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router. If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were previously set when enabling that feature. This is persistent (even after disabling the recovery option, the exploit will fail) because the router will ask for the security questions.
Publish Date : 2017-01-17 Last Update Date : 2017-08-31
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
4.3
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact None (There is no impact to the integrity of the system)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Obtain Information
CWE ID 200

- Products Affected By CVE-2017-5521

# Product Type Vendor Product Version Update Edition Language
1 OS Netgear Ac1450 Firmware 1.0.0.34 10.0.16 Version Details Vulnerabilities
2 OS Netgear D6220 Firmware 1.0.0.12 Version Details Vulnerabilities
3 OS Netgear D6300 Firmware 1.0.0.96 Version Details Vulnerabilities
4 OS Netgear D6300b Firmware 1.0.0.40 Version Details Vulnerabilities
5 OS Netgear D6400 Firmware 1.0.0.44 Version Details Vulnerabilities
6 OS Netgear Dgn2200bv4 Firmware 1.0.0.68 Version Details Vulnerabilities
7 OS Netgear R6200 Firmware 1.0.1.56 1.0.43 Version Details Vulnerabilities
8 OS Netgear R6300 Firmware 1.0.2.78 1.0.58 Version Details Vulnerabilities
9 OS Netgear Vegn2610 Firmware 1.0.0.36 Version Details Vulnerabilities
10 OS Netgear Wndr3700v3 Firmware 1.0.0.40 1.0.32 Version Details Vulnerabilities
11 OS Netgear Wndr4000 Firmware 1.0.2.4 9.1.86 Version Details Vulnerabilities
12 OS Netgear Wndr4500 Firmware 1.0.1.44 1.0.73 Version Details Vulnerabilities
13 OS Netgear Wnr1000v3 Firmware 1.0.2.68 60.0.93 Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Netgear Ac1450 Firmware 1
Netgear D6220 Firmware 1
Netgear D6300 Firmware 1
Netgear D6300b Firmware 1
Netgear D6400 Firmware 1
Netgear Dgn2200bv4 Firmware 1
Netgear R6200 Firmware 1
Netgear R6300 Firmware 1
Netgear Vegn2610 Firmware 1
Netgear Wndr3700v3 Firmware 1
Netgear Wndr4000 Firmware 1
Netgear Wndr4500 Firmware 1
Netgear Wnr1000v3 Firmware 1

- References For CVE-2017-5521

https://www.exploit-db.com/exploits/41205/
EXPLOIT-DB 41205
http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability CONFIRM
http://www.securityfocus.com/bid/95457
BID 95457

- Vulnerability Conditions

Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)

- Metasploit Modules Related To CVE-2017-5521

NETGEAR Administrator Password Disclosure
This module will collect the password for the `admin` user. The exploit will not complete if password recovery is set on the router. The password is received by passing the token generated from `unauth.cgi` to `passwordrecovered.cgi`. This exploit works on many different NETGEAR products. The full list of affected products is available in the 'References' section.
Module type : auxiliary Rank : normal


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.