CVE-2022-27643

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15692.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-519/	Third Party Advisory VDB Entry
https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-519/	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6400:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6400:v2:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:netgear:r6700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6700:v3:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:netgear:r6900p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r6900p:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7000:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:netgear:r7000p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7000p:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:netgear:r7850_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7850:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:netgear:r7900p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7900p:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:netgear:r7960p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7960p:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:netgear:r8000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8000:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:netgear:r8000p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8000p:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:netgear:r8500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8500:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:netgear:rax200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax200:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:netgear:rax75_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax75:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:netgear:rax80_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rax80:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:netgear:rs400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rs400:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:netgear:r7100lg_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7100lg:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:netgear:wndr3400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wndr3400:v3:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:netgear:wnr3500l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wnr3500l:v2:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:netgear:xr300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:xr300:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:netgear:dc112a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:dc112a:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:netgear:d6220_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d6220:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:netgear:d6400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d6400:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND

cpe:2.3:o:netgear:ex3700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex3700:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND

cpe:2.3:o:netgear:ex3800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex3800:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND

cpe:2.3:o:netgear:ex6120_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex6120:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND

cpe:2.3:o:netgear:ex6130_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:ex6130:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND

cpe:2.3:o:netgear:d7000v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d7000v2:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:56

Type	Values Removed	Values Added
References	~~() https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323 - Vendor Advisory~~	() https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323 - Vendor Advisory
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-22-519/ - Third Party Advisory, VDB Entry~~	() https://www.zerodayinitiative.com/advisories/ZDI-22-519/ - Third Party Advisory, VDB Entry

05 Apr 2023, 15:06

Type	Values Removed	Values Added
First Time		Netgear rax200 Netgear wndr3400 Firmware Netgear ex6130 Firmware Netgear r6400 Netgear r6400 Firmware Netgear d6220 Firmware Netgear r7100lg Firmware Netgear rs400 Firmware Netgear ex3800 Netgear r7850 Netgear r7900p Netgear rax200 Firmware Netgear xr300 Netgear r6700 Netgear ex6120 Netgear r8000 Firmware Netgear r8500 Firmware Netgear r7000 Netgear ex6130 Netgear xr300 Firmware Netgear r8000p Firmware Netgear d7000v2 Firmware Netgear d7000v2 Netgear r8500 Netgear wndr3400 Netgear r6900p Netgear r7000p Netgear r8000p Netgear wnr3500l Firmware Netgear r7960p Netgear rax80 Firmware Netgear ex3700 Netgear rs400 Netgear rax80 Netgear r6700 Firmware Netgear Netgear r7850 Firmware Netgear rax75 Firmware Netgear dc112a Firmware Netgear r7900p Firmware Netgear r7000 Firmware Netgear ex6120 Firmware Netgear dc112a Netgear r7100lg Netgear d6400 Firmware Netgear d6220 Netgear r6900p Firmware Netgear r8000 Netgear r7000p Firmware Netgear wnr3500l Netgear rax75 Netgear d6400 Netgear ex3700 Firmware Netgear r7960p Firmware Netgear ex3800 Firmware
References	~~(MISC) https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323 -~~	(MISC) https://kb.netgear.com/000064720/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0323 - Vendor Advisory
References	~~(MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-519/ -~~	(MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-519/ - Third Party Advisory, VDB Entry
CPE		cpe:2.3:h:netgear:r7000p:-:::::::* cpe:2.3:h:netgear:rax75:-:::::::* cpe:2.3:o:netgear:r7850_firmware:::::::: cpe:2.3:o:netgear:wndr3400_firmware:::::::: cpe:2.3:h:netgear:wnr3500l:v2:::::::* cpe:2.3:o:netgear:ex6130_firmware:::::::: cpe:2.3:h:netgear:r7900p:-:::::::* cpe:2.3:h:netgear:wndr3400:v3:::::::* cpe:2.3:o:netgear:rax80_firmware:::::::: cpe:2.3:h:netgear:r7850:-:::::::* cpe:2.3:o:netgear:xr300_firmware:::::::: cpe:2.3:o:netgear:r7960p_firmware:::::::: cpe:2.3:o:netgear:r7000_firmware:::::::: cpe:2.3:o:netgear:r8000p_firmware:::::::: cpe:2.3:o:netgear:r6900p_firmware:::::::: cpe:2.3:h:netgear:r8000p:-:::::::* cpe:2.3:o:netgear:r8500_firmware:::::::: cpe:2.3:o:netgear:rs400_firmware:::::::: cpe:2.3:h:netgear:d6400:-:::::::* cpe:2.3:h:netgear:r6400:v2:::::::* cpe:2.3:o:netgear:rax200_firmware:::::::: cpe:2.3:h:netgear:r8000:-:::::::* cpe:2.3:o:netgear:r8000_firmware:::::::: cpe:2.3:h:netgear:r6700:v3:::::::* cpe:2.3:o:netgear:r6400_firmware:::::::: cpe:2.3:h:netgear:ex6130:-:::::::* cpe:2.3:h:netgear:r7960p:-:::::::* cpe:2.3:o:netgear:rax75_firmware:::::::: cpe:2.3:h:netgear:r7100lg:-:::::::* cpe:2.3:o:netgear:d6220_firmware:::::::: cpe:2.3:h:netgear:dc112a:-:::::::* cpe:2.3:o:netgear:ex6120_firmware:::::::: cpe:2.3:h:netgear:r6400:-:::::::* cpe:2.3:h:netgear:r6900p:-:::::::* cpe:2.3:h:netgear:rs400:-:::::::* cpe:2.3:o:netgear:r7100lg_firmware:::::::: cpe:2.3:o:netgear:dc112a_firmware:::::::: cpe:2.3:o:netgear:ex3700_firmware:::::::: cpe:2.3:h:netgear:d7000v2:-:::::::* cpe:2.3:h:netgear:rax80:-:::::::* cpe:2.3:o:netgear:wnr3500l_firmware:::::::: cpe:2.3:o:netgear:r7000p_firmware:::::::: cpe:2.3:h:netgear:d6220:-:::::::* cpe:2.3:h:netgear:r7000:-:::::::* cpe:2.3:o:netgear:r6700_firmware:::::::: cpe:2.3:o:netgear:r7900p_firmware:::::::: cpe:2.3:h:netgear:ex6120:-:::::::* cpe:2.3:h:netgear:ex3700:-:::::::* cpe:2.3:h:netgear:xr300:-:::::::* cpe:2.3:o:netgear:ex3800_firmware:::::::: cpe:2.3:o:netgear:d7000v2_firmware:::::::: cpe:2.3:h:netgear:ex3800:-:::::::* cpe:2.3:h:netgear:rax200:-:::::::* cpe:2.3:h:netgear:r8500:-:::::::* cpe:2.3:o:netgear:d6400_firmware::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

29 Mar 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-03-29 19:15

Updated : 2024-11-21 06:56

NVD link : CVE-2022-27643

Mitre link : CVE-2022-27643

CVE.ORG link : CVE-2022-27643

JSON object : View

Products Affected

netgear

r6900p_firmware
dc112a_firmware
r7900p_firmware
dc112a
r8000p_firmware
r7000p_firmware
xr300
rax75_firmware
r6900p
rs400
r6700_firmware
r7850
r8500
rax200_firmware
r6400_firmware
r7000_firmware
rax80_firmware
wnr3500l
wndr3400
xr300_firmware
d7000v2_firmware
rax75
wndr3400_firmware
r7960p
r6700
d6400_firmware
ex3800
ex6130_firmware
d6220
ex6120_firmware
d6400
rax200
rs400_firmware
wnr3500l_firmware
r7000p
ex3700_firmware
r6400
r7960p_firmware
rax80
ex6120
r7000
r8500_firmware
ex3800_firmware
d7000v2
r8000
ex6130
r7850_firmware
r7100lg_firmware
d6220_firmware
r7100lg
r8000p
r7900p
ex3700
r8000_firmware

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

8.8 /10