CVE-2020-10924 : This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9643.

Published 2020-07-28 18:15:14

Updated 2020-07-29 18:29:49

Source Zero Day Initiative

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2020-10924

Probability of exploitation activity in the next 30 days: 0.30%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2020-10924

Netgear R6700v3 Unauthenticated LAN Admin Password Reset

Disclosure Date: 2020-06-15

First seen: 2020-07-01

auxiliary/admin/http/netgear_r6700_pass_reset

This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd), on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset the password for the 'admin' user

More information

CVSS scores for CVE-2020-10924

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.3	HIGH	AV:A/AC:L/Au:N/C:C/I:C/A:C	6.5	10.0	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	Zero Day Initiative
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-10924

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Assigned by: zdi-disclosures@trendmicro.com (Primary)

References for CVE-2020-10924

https://www.zerodayinitiative.com/advisories/ZDI-20-704/

ZDI-20-704 | Zero Day Initiative
Third Party Advisory;VDB Entry

Products affected by CVE-2020-10924

Netgear » R6700 Firmware » Version: 1.0.4.84 10.0.58
cpe:2.3:o:netgear:r6700_firmware:1.0.4.84_10.0.58:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » R6700 » Version: N/A