What is CVE-2021-23147?

CVE-2021-23147 is a publicly disclosed cybersecurity vulnerability with a MEDIUM severity rating and CVSS score of 6.8.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2021-23147

MEDIUM6.8/ 10.0

Published: December 30, 2021 at 10:15 PM

Modified: November 21, 2024 at 05:51 AM

Source: vulnreport@tenable.com

Vulnerability Description

Netgear Nighthawk R6700 version 1.0.4.120 does not have sufficient protections for the UART console. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection and execute commands as the root user without authentication.

CVSS Metrics

Base Score

6.8

Severity

MEDIUM

Vector String

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-287

Source: nvd@nist.gov

AI Security Analysis

01 // Technical Summary

Netgear Nighthawk R6700 routers are vulnerable to a critical security flaw allowing unauthenticated root access via the UART console. An attacker with physical access can bypass all security measures and gain complete control of the device, potentially leading to data theft, network compromise, and device manipulation. This vulnerability poses a significant risk to home and small business networks.

02 // Vulnerability Mechanism

Step 1: Physical Access: The attacker gains physical access to the Netgear Nighthawk R6700 router.

Step 2: Hardware Disassembly (Optional): The attacker may need to disassemble the router to access the UART pins on the circuit board. This typically involves removing the router's casing.

Step 3: Serial Connection: The attacker connects a serial cable (e.g., a USB-to-TTL serial adapter) to the UART pins on the router's circuit board. The attacker must identify the correct pins (TX, RX, GND).

Step 4: Terminal Emulation: The attacker uses a terminal emulator (e.g., PuTTY, minicom, screen) on a computer to establish a serial connection to the router. They configure the terminal emulator with the correct baud rate (typically 115200) and other serial communication parameters.

Step 5: Command Execution: The attacker interacts with the root shell via the serial connection. They can then execute arbitrary commands with root privileges, effectively taking full control of the device.

03 // Deep Technical Analysis

The vulnerability stems from inadequate security measures on the UART (Universal Asynchronous Receiver/Transmitter) console, a serial communication interface typically used for debugging and low-level access. The firmware lacks authentication or authorization checks on the UART port. This allows an attacker to connect to the UART port with a serial connection and execute commands as the root user. The root cause is the absence of any authentication mechanism or access control list (ACL) on the UART console. The device trusts any input received through the UART port, allowing direct execution of commands with elevated privileges.