Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

NETGEAR Patches Severe Vulnerabilities in Business Switches

NETGEAR has released patches to address severe vulnerabilities in its business-grade smart switches that could lead to complete device takeover.

NETGEAR has released patches to address severe vulnerabilities in its business-grade smart switches that could lead to complete device takeover.

In an advisory published Friday, just before the Labor Day holiday weekend in the U.S., NETGEAR said the flaws affect twenty device models, but refrained from sharing any technical details on the resolved issues. No CVE identifiers have been issued for any of the vulnerabilities.

On Monday, however, security researcher Gynvael Coldwind, who identified and reported the bugs, published information on two of the flaws, both of which could provide an attacker with administrator access to a vulnerable device.

The first of the flaws, which Coldwind refers to as Demon’s Cries, is an authentication bypass that could result in an attacker changing various settings on the device – including the administrator password –, to completely compromise it.

For the vulnerability to work, however, the NETGEAR Smart Control Center (SCC Control) needs to be manually enabled – the feature is disabled by default.

The researcher explains that, when enabled, the sccd daemon allows for various configuration changes. On certain devices, however, an authentication requirement on “set” commands is not enforced, meaning that an attacker could change the admin password on the device without knowing the previous password.

Coldwind assesses the vulnerability with a CVSS score of 9.8, underlining that it has a severity rating of critical. NETGEAR, on the other hand, says that the bug has a CVSS score of 8.8, with a severity rating of high.

The second vulnerability, which the researcher refers to as Draconian Fear, could allow an attacker to hijack the session bootstrapping information of an administrator and gain full admin access.

For successful exploitation, the attacker needs to have the same IP as the administrator logging into the vulnerable device. The attacker would also need to win “a race condition with a 1-second window,” the researcher says.

The issue is that, when the administrator logs in, the browser sends login information in a set.cgi handler and then polls a get.cgi handler for the session ID, where “get.cgi relies only on the IP and a guessable 1-5 browser type number for verification whether the polling party is actually the same as the party that sent in the login information,” the researcher explains.

Thus, an attacker on the same IP as the admin can send multiple requests to get.cgi and retrieve session information. The bug is rated high severity, with a CVSS score of 7.8, the researcher says (Netgear assesses it with a CVSS score of 7.4).

Coldwind has published proof-of-concept code for both vulnerabilities, but has refrained from revealing technical details on a third severe issue, which he refers to as Seventh Inferno. Details on this vulnerability will be published on September 13.

Affected device models include GC108P/PP/Tv3, GS110TPP/TPv3/TUP, GS308T, GS310TP/TUP, GS716TP/TPP, GS724TPP/TPv2, GS728TPPv2/TPv2, GS750E, GS752TPP/TPv2, and MS510TXM/TXUP switches. Netgear has released firmware updates for all affected products.

Related: Critical, Exploitable Flaws in NETGEAR Router Firmware

Related: Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.