CVE-2021-45568 in RBK752info

Summary

by MITRE • 12/26/2021

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/28/2021

The vulnerability identified as CVE-2021-45568 represents a critical command injection flaw affecting multiple NETGEAR router models within the RBK and RBR series. This security weakness allows authenticated attackers with valid credentials to execute arbitrary commands on affected devices, potentially leading to complete system compromise. The affected models include RBK752, RBR750, RBS750, RBK852, RBR850, and RBS850, all prior to firmware version 3.2.16.6, indicating a widespread issue across several router variants in NETGEAR's product lineup.

The technical implementation of this vulnerability stems from improper input validation within the device's web interface or management protocols. When authenticated users submit specific inputs to vulnerable parameters, the system fails to properly sanitize or escape these inputs before processing them within the command execution context. This flaw directly maps to CWE-77, which describes improper neutralization of special elements used in command execution, and represents a classic command injection vulnerability that enables attackers to execute arbitrary system commands with the privileges of the affected service account.

The operational impact of this vulnerability extends beyond simple unauthorized access, as authenticated command injection can enable attackers to gain complete control over affected routers. This includes potential network reconnaissance, modification of routing tables, implementation of man-in-the-middle attacks, and establishment of persistent backdoors. The vulnerability's authenticated nature means that attackers must first obtain valid credentials, but once achieved, they can leverage the compromised device as a pivot point for further network exploitation, potentially affecting the entire local network infrastructure. This aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1021.001 for remote services.

Organizations affected by this vulnerability should immediately implement firmware updates to version 3.2.16.6 or later, which contain patches addressing the command injection flaw. Network administrators should also conduct thorough credential audits to ensure no unauthorized access has occurred, particularly focusing on default credentials that may have been exploited. Additional mitigations include implementing network segmentation to limit the blast radius of potential exploitation, monitoring for unusual network traffic patterns that might indicate command execution, and establishing robust access control policies for router management interfaces. The vulnerability demonstrates the critical importance of proper input validation and the potential consequences of inadequate sanitization of user-supplied data in network device management interfaces.

Responsible

MITRE

Reservation

12/25/2021

Disclosure

12/26/2021

Moderation

accepted

CPE

ready

EPSS

0.00695

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!