CVE-2021-40847 Information

Description

The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers the Circle update daemon circled is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted compressed database file the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106 R6700 1.0.2.16 R6700v3 1.0.4.106 R6900 1.0.2.16 R6900P 1.3.2.134 R7000 1.0.11.123 R7000P 1.3.2.134 R7850 1.0.5.68 R7900 1.0.4.38 R8000 1.0.4.68 and RS400 1.5.0.68.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html https://kb.netgear.com/000064039/Security-Advisory-for-Remote-Code-Execution-on-Some-Routers-PSV-2021-0204

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1