CVE-2020-35799

Q: What is the severity of CVE-2020-35799?

CVE-2020-35799 has a CVSS score of 8.8 (HIGH). This CVE describes a stack-based buffer overflow vulnerability in multiple NETGEAR routers, range extenders, and WiFi systems. An unauthenticated attacker can exploit this remotely to potentially execute arbitrary code or cause denial of service. Affected devices include numerous D, EX, R, RBK, WN, and XR series models.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a stack-based buffer overflow vulnerability in multiple NETGEAR routers, range extenders, and WiFi systems. An unauthenticated attacker can exploit this remotely to potentially execute arbitrary code or cause denial of service. Affected devices include numerous D, EX, R, RBK, WN, and XR series models.

💻 Affected Systems

Products:

NETGEAR D3600
D6000
D6200
D7000
D7800
DM200
EX2700
EX6100v2
EX6150v2
EX6200v2
EX6400
EX7300
EX8000
JR6150
PR2000
R6020
R6050
R6080
R6120
R6220
R6230
R6260
R6700v2
R6800
R6900v2
R7500v2
R7800
R8900
R9000
RBK20
RBR20
RBS20
RBK40
RBR40
RBS40
RBK50
RBR50
RBS50
WN2000RPTv3
WN3000RPv2
WN3000RPv3
WN3100RPv2
WNR2000v5
WNR2020
XR450
XR500

Versions: Versions before those specified in the CVE description (e.g., D3600 before 1.0.0.76, D6000 before 1.0.0.78, etc.)

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations are vulnerable. The vulnerability is pre-authentication, requiring no user credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full device compromise, network infiltration, and persistent backdoor installation.

🟠

Likely Case

Denial of service causing device crashes and network disruption.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering.

🌐 Internet-Facing: HIGH - Devices directly exposed to the internet are vulnerable to remote unauthenticated attacks.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if they reach the device's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is pre-authentication and has public proof-of-concept code available, making exploitation relatively straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions specified in the CVE description (e.g., D3600 1.0.0.76 or later, D6000 1.0.0.78 or later, etc.)

Vendor Advisory: https://kb.netgear.com/000062709/Security-Advisory-for-Pre-Authentication-Stack-Overflow-on-Some-Routers-Range-Extenders-and-WiFi-Systems-PSV-2018-0296

Restart Required: Yes

Instructions:

1. Identify your device model and current firmware version. 2. Visit the NETGEAR support website. 3. Download the latest firmware for your specific model. 4. Log into the device's web interface. 5. Navigate to the firmware update section. 6. Upload and install the new firmware file. 7. Reboot the device after installation completes.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Restrict access to the device's management interface from untrusted networks.

Disable Remote Management

all

Turn off remote management features if not required.

🧯 If You Can't Patch

Replace affected devices with patched models or alternative vendors.
Isolate vulnerable devices in a dedicated network segment with strict access controls.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the device's web interface under Administration or Advanced settings and compare with patched versions listed in the CVE.

Check Version:

No universal command; check via web interface or device-specific CLI if available.

Verify Fix Applied:

Confirm the firmware version matches or exceeds the patched version specified for your device model.

📡 Detection & Monitoring

Log Indicators:

Unexpected device reboots
Crash logs in system logs
Unusual network traffic to device management ports

Network Indicators:

Exploit traffic patterns to device management ports (typically 80/443)
Sudden increase in malformed HTTP requests

SIEM Query:

Example: 'source="netgear-router" AND (event_type="crash" OR event_type="reboot")'

📊 Metadata

CVE ID: CVE-2020-35799

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: December 30, 2020

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

D3600 Firmware by Netgear

D6000 Firmware by Netgear

D6200 Firmware by Netgear

D7000 Firmware by Netgear

D7800 Firmware by Netgear

Dm200 Firmware by Netgear

Ex2700 Firmware by Netgear

Ex6100v2 Firmware by Netgear

Ex6150v2 Firmware by Netgear

Ex6200v2 Firmware by Netgear

Ex6400 Firmware by Netgear

Ex7300 Firmware by Netgear

Ex8000 Firmware by Netgear

Jr6150 Firmware by Netgear

Pr2000 Firmware by Netgear

R6020 Firmware by Netgear

R6050 Firmware by Netgear

R6080 Firmware by Netgear

R6120 Firmware by Netgear

R6220 Firmware by Netgear

R6230 Firmware by Netgear

R6260 Firmware by Netgear

R6700v2 Firmware by Netgear

R6800 Firmware by Netgear

R6900v2 Firmware by Netgear

R7500v2 Firmware by Netgear

R7800 Firmware by Netgear

R8900 Firmware by Netgear

R9000 Firmware by Netgear

Rbk20 Firmware by Netgear

Rbk40 Firmware by Netgear

Rbk50 Firmware by Netgear

Rbr20 Firmware by Netgear

Rbr40 Firmware by Netgear

Rbr50 Firmware by Netgear

Rbs20 Firmware by Netgear

Rbs40 Firmware by Netgear

Rbs50 Firmware by Netgear

Wn2000rptv3 Firmware by Netgear

Wn3000rpv2 Firmware by Netgear

Wn3000rpv2 Firmware by Netgear

Wn3000rpv3 Firmware by Netgear

Wn3100rpv2 Firmware by Netgear

Wnr2000v5 Firmware by Netgear

Wnr2020 Firmware by Netgear

Xr450 Firmware by Netgear

Xr500 Firmware by Netgear