Vulnerability CVE-2020-28041

Vulnerability Name:

CVE-2020-28041 (CCN-191100)

Assigned:

2020-11-02

Published:

2020-11-02

Updated:

2022-10-19

Summary:

The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-276

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2020-28041

Source: XF
Type: UNKNOWN
netgear-cve202028041-sec-bypass(191100)

Source: CCN
Type: GitHub Web site
NETGEAR Nighthawk

Source: MISC
Type: Third Party Advisory
https://github.com/samyk/slipstream

Source: MISC
Type: Exploit, Third Party Advisory
https://news.ycombinator.com/item?id=24956616

Source: MISC
Type: Exploit, Third Party Advisory
https://news.ycombinator.com/item?id=24958281

Source: CONFIRM
Type: Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024

Source: MISC
Type: Exploit, Third Party Advisory
https://samy.pl/slipstream/

Source: CCN
Type: Netgear Web site
Netgear

Vulnerable Configuration:

Configuration 1:

cpe:/o:netgear:nighthawk_r7000_firmware:1.0.9.64_10.2.64:*:*:*:*:*:*:*

AND

cpe:/h:netgear:nighthawk_r7000:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK