Multivendor Vulnerability Alert
Netgear DGN2200B pppoe_username Command Execution Vulnerability
Medium
Alert ID:
29908
First Published:
2013 July 2 14:13 GMT
Version:
1
CVSS Score:
Base 6.4,
Temporal 5.8
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:U/RC:C
-
A vulnerability in Netgear DGN2200B could allow an unauthenticated, remote attacker to execute arbitrary shell commands.
The vulnerability is due to an authentication failure error within affected software. An exploit could allow the attacker to disclose authorized Point-to-Point Protocol over Ethernet (PPPoE) data from the device. The attacker may leverage this vulnerability to conduct additional attacks.
Proof-of-concept code that exploits this vulnerability is publicly available.
Netgear has not confirmed this vulnerability and updated software is not available.
-
Netgear DGN2200B firmware version 1.0.0.36_7.0.36 is vulnerable. Other versions could also be vulnerable.
-
The vulnerability is due to insufficient input validation in the pppoe_username parameter while processing HTTP requests.
An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted requests to the affected device. Successful exploitation could allow the attacker to disclose unauthorized Point-to-Point Protocol over Ethernet (PPPoE). The attacker could use this information to launch additional attacks or to inject and execute arbitrary shell commands.
-
Successful exploitation could allow the attacker to upload and execute a backdoor to carry out additional attacks.
-
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.
-
Vendor announcements are not available.
-
Software updates are not available.
-
Cisco Intrusion Prevention System (IPS) 6.0 Signature ID Signature Name Release Latest Release Date 2458/0 Netgear DGN2200B PPPoe_username Command Execution S745 10/01/2013
-
Show LessVersion Description Section Date 1 Initial Release 2013-July-02 14:13 GMT
-
The security vulnerability applies to the following combinations of products.
Primary Products NETGEAR DGN2200B 1.0 (.0.36) Associated Products
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products