CVE-2021-34991

Q: What is the severity of CVE-2021-34991?

CVE-2021-34991 has a CVSS score of 8.8 (HIGH). This is a critical buffer overflow vulnerability in NETGEAR R6400v2 routers that allows network-adjacent attackers to execute arbitrary code as root without authentication. The flaw exists in the UPnP service when processing uuid headers, enabling remote code execution. All users of affected NETGEAR router models with vulnerable firmware versions are at risk.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

This is a critical buffer overflow vulnerability in NETGEAR R6400v2 routers that allows network-adjacent attackers to execute arbitrary code as root without authentication. The flaw exists in the UPnP service when processing uuid headers, enabling remote code execution. All users of affected NETGEAR router models with vulnerable firmware versions are at risk.

💻 Affected Systems

Products:

NETGEAR R6400v2

Versions: Firmware version 1.0.4.106_10.0.80 and earlier

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: UPnP service enabled by default on port 5000. Other NETGEAR models may also be affected per vendor advisory.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise with root-level access, allowing attacker to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.

🟠

Likely Case

Router takeover leading to man-in-the-middle attacks, credential theft, DNS hijacking, and botnet recruitment.

🟢

If Mitigated

Limited to denial of service if UPnP is disabled or network segmentation prevents access to port 5000.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published technical details and proof-of-concept. Exploitation requires network adjacency but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.0.4.120 or later

Vendor Advisory: https://kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable UPnP Service

all

Turn off Universal Plug and Play service to prevent exploitation

Navigate to Advanced > Advanced Setup > UPnP and disable

Block Port 5000

linux

Block external and internal access to UPnP service port

Add firewall rule: iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

Segment router onto isolated network segment with strict access controls
Implement network monitoring for suspicious traffic to port 5000

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Advanced > Administration > Firmware Update

Check Version:

curl -s http://routerlogin.com/currentsetting.htm | grep Firmware

Verify Fix Applied:

Confirm firmware version is 1.0.4.120 or later and UPnP service is either disabled or patched

📡 Detection & Monitoring

Log Indicators:

Multiple malformed UPnP requests to port 5000
Buffer overflow errors in router logs
Unusual process execution

Network Indicators:

Exploit traffic patterns to TCP port 5000
Shellcode patterns in network captures
Unusual outbound connections from router

SIEM Query:

source="router" dest_port=5000 AND (http_user_agent CONTAINS "uuid" OR payload_size>1024)

📊 Metadata

CVE ID: CVE-2021-34991

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: November 15, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1303/ Third Party Advisory,VDB Entry
https://kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1303/ Third Party Advisory,VDB Entry

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cax80 Firmware by Netgear

D6220 Firmware by Netgear

D6400 Firmware by Netgear

D7000v2 Firmware by Netgear

Dc112a Firmware by Netgear

Dgn2200v4 Firmware by Netgear

Ex3700 Firmware by Netgear

Ex3800 Firmware by Netgear

Ex6120 Firmware by Netgear

Ex6130 Firmware by Netgear

R6400 Firmware by Netgear

R6400v2 Firmware by Netgear

R6700v3 Firmware by Netgear

R6900p Firmware by Netgear

R7000 Firmware by Netgear

R7000p Firmware by Netgear

R7100lg Firmware by Netgear

R7850 Firmware by Netgear

R7900p Firmware by Netgear

R7960p Firmware by Netgear

R8000 Firmware by Netgear

R8000p Firmware by Netgear

R8300 Firmware by Netgear

R8500 Firmware by Netgear

Rax15 Firmware by Netgear

Rax20 Firmware by Netgear

Rax200 Firmware by Netgear

Rax35v2 Firmware by Netgear

Rax38v2 Firmware by Netgear

Rax40v2 Firmware by Netgear

Rax42 Firmware by Netgear

Rax43 Firmware by Netgear

Rax45 Firmware by Netgear

Rax48 Firmware by Netgear

Rax50 Firmware by Netgear

Rax50s Firmware by Netgear

Rax75 Firmware by Netgear

Rax80 Firmware by Netgear

Raxe450 Firmware by Netgear

Raxe500 Firmware by Netgear

Rs400 Firmware by Netgear

Wndr3400v3 Firmware by Netgear

Wnr3500lv2 Firmware by Netgear

Xr300 Firmware by Netgear