Network Everywhere's NR041 Router contains a flaw that may allow a malicious user to inject code into the web-based administrive interface by sending a specifically crafted DHCP packet whith a modified DHCP HOSTNAME. The issue is triggered when an administrator access the logs via the web-based interface where their browser will interpret the injected code. It is possible that the flaw may allow a remote attacker to take control of the administrator's session resulting in a loss of integrity or availability.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Don't view logs via the web-based interface. Also as the DHCP HOSTNAME can only be injected from an attacker on the local network, monitoring for spurious DHCP packets is advisable.