CVE-2021-27257 — MEDIUM (6.5)

Q: How severe is CVE-2021-27257?

CVE-2021-27257 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-27257?

Check the references section above for vendor advisories and patch information. Affected products include: Netgear Br200 Firmware, Netgear Br200, Netgear Br500 Firmware, Netgear Br500, Netgear D7800 Firmware.

Vulnerability Description

This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via FTP. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-12362.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Netgear	Br200 Firmware	< 5.10.0.5
Netgear	Br200	-
Netgear	Br500 Firmware	< 5.10.0.5
Netgear	Br500	-
Netgear	D7800 Firmware	< 1.0.1.60
Netgear	D7800	-
Netgear	Ex6100V2 Firmware	< 1.0.1.98
Netgear	Ex6100V2	-
Netgear	Ex6150V2 Firmware	< 1.0.1.98
Netgear	Ex6150V2	-
Netgear	Ex6250 Firmware	< 1.0.0.134
Netgear	Ex6250	-
Netgear	Ex6400 Firmware	< 1.0.2.158
Netgear	Ex6400	-
Netgear	Ex6400V2 Firmware	< 1.0.0.134
Netgear	Ex6400V2	-
Netgear	Ex6410 Firmware	< 1.0.0.134
Netgear	Ex6410	-
Netgear	Ex6420 Firmware	< 1.0.0.134
Netgear	Ex6420	-

Related Weaknesses (CWE)

CWE-295

References

https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-PatchVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-264/Third Party AdvisoryVDB Entry
https://kb.netgear.com/000062883/Security-Advisory-for-Multiple-Vulnerabilities-PatchVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-264/Third Party AdvisoryVDB Entry

FAQ

What is CVE-2021-27257?

CVE-2021-27257 is a vulnerability with a CVSS score of 6.5 (MEDIUM). This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not r...

How severe is CVE-2021-27257?

CVE-2021-27257 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-27257?

Check the references section above for vendor advisories and patch information. Affected products include: Netgear Br200 Firmware, Netgear Br200, Netgear Br500 Firmware, Netgear Br500, Netgear D7800 Firmware.