NETGEAR has released patches to address severe vulnerabilities in its business-grade smart switches that could lead to complete device takeover.
In an advisory published Friday, just before the Labor Day holiday weekend in the U.S., NETGEAR said the flaws affect twenty device models, but refrained from sharing any technical details on the resolved issues. No CVE identifiers have been issued for any of the vulnerabilities.
On Monday, however, security researcher Gynvael Coldwind, who identified and reported the bugs, published information on two of the flaws, both of which could provide an attacker with administrator access to a vulnerable device.
The first of the flaws, which Coldwind refers to as Demon’s Cries, is an authentication bypass that could result in an attacker changing various settings on the device – including the administrator password –, to completely compromise it.
For the vulnerability to work, however, the NETGEAR Smart Control Center (SCC Control) needs to be manually enabled – the feature is disabled by default.
The researcher explains that, when enabled, the sccd daemon allows for various configuration changes. On certain devices, however, an authentication requirement on “set” commands is not enforced, meaning that an attacker could change the admin password on the device without knowing the previous password.
Coldwind assesses the vulnerability with a CVSS score of 9.8, underlining that it has a severity rating of critical. NETGEAR, on the other hand, says that the bug has a CVSS score of 8.8, with a severity rating of high.
The second vulnerability, which the researcher refers to as Draconian Fear, could allow an attacker to hijack the session bootstrapping information of an administrator and gain full admin access.
For successful exploitation, the attacker needs to have the same IP as the administrator logging into the vulnerable device. The attacker would also need to win “a race condition with a 1-second window,” the researcher says.
The issue is that, when the administrator logs in, the browser sends login information in a set.cgi handler and then polls a get.cgi handler for the session ID, where “get.cgi relies only on the IP and a guessable 1-5 browser type number for verification whether the polling party is actually the same as the party that sent in the login information,” the researcher explains.
Thus, an attacker on the same IP as the admin can send multiple requests to get.cgi and retrieve session information. The bug is rated high severity, with a CVSS score of 7.8, the researcher says (Netgear assesses it with a CVSS score of 7.4).
Coldwind has published proof-of-concept code for both vulnerabilities, but has refrained from revealing technical details on a third severe issue, which he refers to as Seventh Inferno. Details on this vulnerability will be published on September 13.
Affected device models include GC108P/PP/Tv3, GS110TPP/TPv3/TUP, GS308T, GS310TP/TUP, GS716TP/TPP, GS724TPP/TPv2, GS728TPPv2/TPv2, GS750E, GS752TPP/TPv2, and MS510TXM/TXUP switches. Netgear has released firmware updates for all affected products.