Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code.
A total of 15 vulnerabilities affecting Netgear switches that use the ProSAFE Plus configuration utility were found to expose users to various risks, according to researchers with IT security firm NCC Group.
The most important of these bugs is CVE-2020-26919, an unauthenticated remote code execution flaw rated critical severity (CVSS score of 9.8).
Affecting firmware versions prior to 220.127.116.11, the bug is related to the internal management web application not implementing the correct access controls, which could allow attackers to bypass authentication and run code with the privileges of the administrator.
“Due to the ability of execute system commands through the ‘debug’ web sections, a successful exploitation of this vulnerability can lead to remote code execution on the affected device,” NCC Group notes.
The researchers also discovered that the Netgear Switch Discovery Protocol (NSDP), a network protocol functioning as a discovery method that also allows for switch management, fails to properly handle authentication packages, thus leading to authentication bypasses (CVE-2020-35231, CVSS score of 8.8).
An attacker able to exploit this vulnerability “could execute any management actions in the device, including wiping the configuration by executing a factory restoration,” the researchers say.
NCC Group says that Netgear has informed them that the NSDP has reached end of life (EOL) and that none of the issues identified in it will be addressed. Users are advised to disable the remote management feature.
“Netgear reported that most of the vulnerabilities affecting the NSDP protocol were known due to end-of-life years ago and it is still enabled for legacy reasons, for customers who preferred to use Prosafe Plus. Furthermore, we were informed that, due to hardware limitations, it is not possible to implement many of the standard encryption protocols, such as those needed to implement HTTPS,” NCC Group notes.
The researchers also found issues with the firmware update mechanism on the vulnerable switches. One of them, CVE-2020-35220 (CVSS score of 8.3), could allow attackers to upload custom firmware files without administrative rights.
The second issue (CVE-2020-35232, CVSS score of 8.1) resides in the improper implementation of internal checks, which could allow attackers to craft firmware files that could “overwrite the entire memory with custom code.”
Other high-severity vulnerabilities in Netgear’s switches could lead to denial of service (CVE-2020-35224, CVSS score 8.1), or could allow an attacker to generate valid passwords (CVE-2020-35221, CVSS score 7.5) or perform requests using a single authenticated packet (CVE-2020-35229, CVSS score 7.5).
Another vulnerability in the NSDP protocol, the researchers discovered, could be abused to retrieve the DHCP status without authentication, thus allowing remote users to configure the service, likely leading to denial of service (CVE-2020-35226, CVSS score 7.1).
The security researchers also identified a series of medium-severity flaws, such as unauthenticated access to switch configuration parameters (CVE-2020-35222), TFTP unexpected behavior (CVE-2020-35233), integer overflow instances (CVE-2020-35230), write command buffer overflows (CVE-2020-35225), and ineffective cross-site request forgery protections (CVE-2020-35223).
In December 2020, Netgear released firmware version 18.104.22.168, which includes patches for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233, and other issues. The remaining issues won’t receive patches, the researchers say.