NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability
CVE Number – CVE-2021-34983
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
Extenders:
- EX6120 fixed in firmware version 1.0.0.66
- EX6130 fixed in firmware version 1.0.0.66
- EX7500 fixed in firmware version 1.0.1.76
Routers:
- R6400 fixed in firmware version 1.0.1.76
- R6400v2 fixed in firmware version 1.0.4.120
- R6700v3 fixed in firmware version 1.0.4.120
- R6900P fixed in firmware version 1.3.3.142_HOTFIX
- R7000 fixed in firmware version 1.0.11.128
- R7000P fixed in firmware version 1.3.3.142_HOTFIX
- R7850 fixed in firmware version 1.0.5.76
- R7900P fixed in firmware version 1.4.2.84
- R7960P fixed in firmware version 1.4.2.84
- R8000 fixed in firmware version 1.0.4.76
- R8000P fixed in firmware version 1.4.2.84
- RAX15 fixed in firmware version 1.0.4.100
- RAX20 fixed in firmware version 1.0.4.100
- RAX200 fixed in firmware version 1.0.5.132
- RAX35v2 fixed in firmware version 1.0.4.100
- RAX38v2 fixed in firmware version 1.0.4.100
- RAX40v2 fixed in firmware version 1.0.4.100
- RAX42 fixed in firmware version 1.0.4.100
- RAX43 fixed in firmware version 1.0.4.100
- RAX45 fixed in firmware version 1.0.4.100
- RAX48 fixed in firmware version 1.0.4.100
- RAX50 fixed in firmware version 1.0.4.100
- RAX50S fixed in firmware version 1.0.4.100
- RAX75 fixed in firmware version 1.0.5.132
- RAX80 fixed in firmware version 1.0.5.132
- RAXE450 fixed in firmware version 1.0.8.70
- RAXE500 fixed in firmware version 1.0.8.70
- RS400 fixed in firmware version 1.5.1.80
- WNDR3400v3 fixed in firmware version 1.0.1.42
- WNR3500Lv2 fixed in firmware version 1.2.0.70
DSL Modem Routers:
- D6220 fixed in firmware version 1.0.0.76
- D6400 fixed in firmware version 1.0.0.108
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.