Vulnerabilities in Netgear’s NMS300 ProSAFE network management system allow attackers to retrieve cleartext credentials and escalate privileges, cybersecurity firm Flashpoint reports.
The tool provides users with a web-based interface for network device management. It uses TCP port 8080 for communication and supports administrator accounts and lower-privileged operator and observer account roles.
A user with an observer account can only view and monitor network functions, but the issues that Flashpoint identified in the product allow an attacker to gain administrative access to devices, starting from this low-privileged role.
Netgear NMS300, Flashpoint explains, allows administrators to manage user accounts from a ‘User management’ tab, where an observer account can only view information about other users, such as username, account type, contact details, and more.
What Flashpoint discovered was that, when the ‘User management’ tab is accessed, the system sends two requests, one to initiate the page and another to retrieve user information to populate the page.
The first identified vulnerability exists because, with the second request, an SQL query is made in the background to retrieve database information, and the response contains every user account stored in the database.
“The problem is that as everything stored in the database table is returned, this includes the cleartext passwords for every single account. While this information is not displayed on the page to the user, it can be obtained by simply viewing the JSON data in the HTTP response,” Flashpoint explains.
By exploiting this vulnerability, an attacker with access to a low-privileged account can retrieve the credentials for administrator accounts and then log into the web-based management interface using those credentials, which would provide them with access to all managed devices.
The second issue, the cybersecurity firm explains, exists because, when a user with an observer account accesses the ‘User management’ tab, the system performs insufficient checks to determine the permissions that user has.
Because these checks “do not restrict the individual HTTP requests sent to the system”, an attacker can bypass restrictions by sending crafted requests to change the password of an administrator account and then log in to the system using the modified credentials, gaining administrative access.
Additionally, Flashpoint says, the Netgear ProSAFE network management system uses multiple third-party components that contain known vulnerabilities, including older versions of MySQL Server, Apache Log4J, and Apache Tomcat.
Flashpoint says it has contacted Netgear’s support team to request a direct contact for reporting the identified vulnerabilities, but that the vendor failed to provide such a contact, instead directing the researchers to toll-free numbers to the business support team.
“The vendor failed to provide a viable security contact, which prevented coordination of the vulnerability report. We are currently not aware of a fix. […] Customers should consider not using this product in production environments or alternatively restrict any untrusted access to systems running the product,” Flashpoint says.
SecurityWeek has emailed Netgear for an official statement and will update this article as soon as a reply arrives.
Related: Netgear Neutralizes Pwn2Own Exploits With Last-Minute Nighthawk Router Patches
Related: Game Acceleration Module Vulnerability Exposes Netgear Routers to Attacks
Related: Multiple Vulnerabilities Impact Netgear Nighthawk R6700 Routers
