CVE-2020-28041 - OpenCVE

The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Netgear	Nighthawk R7000 Nighthawk R7000 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:netgear:nighthawk_r7000_firmware:1.0.9.64_10.2.64:*:*:*:*:*:*:*

cpe:2.3:h:netgear:nighthawk_r7000:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/samyk/slipstream	Third Party Advisory
https://news.ycombinator.com/item?id=24956616	Exploit Third Party Advisory
https://news.ycombinator.com/item?id=24958281	Exploit Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024	Third Party Advisory
https://samy.pl/slipstream/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-11-01T03:29:13

Updated: 2020-12-15T23:06:08

Reserved: 2020-11-01T00:00:00

Link: CVE-2020-28041

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-02T21:15:31.257

Modified: 2022-10-19T17:17:59.807

Link: CVE-2020-28041

JSON object: View

Redhat Information

No data.

CWE

CWE-276

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-15T23:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=24956616"}, {"tags": ["x_refsource_MISC"], "url": "https://samy.pl/slipstream/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/samyk/slipstream"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=24958281"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-28041", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://news.ycombinator.com/item?id=24956616", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=24956616"}, {"name": "https://samy.pl/slipstream/", "refsource": "MISC", "url": "https://samy.pl/slipstream/"}, {"name": "https://github.com/samyk/slipstream", "refsource": "MISC", "url": "https://github.com/samyk/slipstream"}, {"name": "https://news.ycombinator.com/item?id=24958281", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=24958281"}, {"name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-28041", "datePublished": "2020-11-01T03:29:13", "dateReserved": "2020-11-01T00:00:00", "dateUpdated": "2020-12-15T23:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netgear:nighthawk_r7000_firmware:1.0.9.64_10.2.64:*:*:*:*:*:*:*", "matchCriteriaId": "6DEBFC20-467D-43F5-9A93-DA5E8F8B497D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netgear:nighthawk_r7000:-:*:*:*:*:*:*:*", "matchCriteriaId": "08C70B18-BC2B-4986-B969-319FAA7D0A5A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data."}, {"lang": "es", "value": "La implementaci\u00f3n de SIP ALG en dispositivos NETGEAR Nighthawk R7000 versi\u00f3n 1.0.9.64_10.2.64, permite a atacantes remotos comunicarse con servicios TCP y UDP arbitrarios en la m\u00e1quina de la intranet de la v\u00edctima, si la v\u00edctima visita un sitio web controlado por un atacante con un navegador moderno, tambi\u00e9n conocido como NAT Slipstreaming . Esto ocurre porque el ALG toma acci\u00f3n en base a un paquete IP con una subcadena REGISTER inicial en los datos TCP y la direcci\u00f3n IP de intranet correcta en el encabezado Via subsiguiente, sin considerar apropiadamente que el progreso de la conexi\u00f3n y la fragmentaci\u00f3n afectan el significado de los datos del paquete"}], "id": "CVE-2020-28041", "lastModified": "2022-10-19T17:17:59.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-02T21:15:31.257", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/samyk/slipstream"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=24956616"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=24958281"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0024"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://samy.pl/slipstream/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}