Contents:
Last week, multinational computer networking company Netgear released security patches to tackle three high-severity flaws impacting over 20 of its products, mostly smart switches.
The flaws were found and reported to the company by security engineer Gynvael Coldwind and are tracked by the vendor as PSV-2021-0140, PSV-2021-0144, PSV-2021-0145.
The three vulnerabilities received a CVSS score between 7.4 and 8.8 and when abused could enable a cybercriminal to gain full control of a vulnerable machine.
Technical details and proof-of-concept (PoC) exploit code for two of the bugs are publicly available.
I’ve published the reports for 2 of 3 recently patched NETGEAR vulnerabilities:https://t.co/RW8ufNBP2Ihttps://t.co/fXNUVuldh7
1st is just an auth bypass, but the 2nd – while not that risky – is pretty fun (in a facepalm kind of way).
3rd will be published on Sept 13th.— Gynvael Coldwind (@gynvael) September 6, 2021
What Netgear Products Were Impacted?
A Netgear advisory informs that a new firmware version is available for some of its affected switches and urges users to download it as quickly as possible. Some of the smart switches impacted by the flaws have cloud management capabilities that allow them to be configured and surveilled over the internet.
Firmware fixes are currently available for all affected products:
- GC108P (fixed in firmware version 1.0.8.2)
- GC108PP (fixed in firmware version 1.0.8.2)
- GS108Tv3 (fixed in firmware version 7.0.7.2)
- GS110TPP (fixed in firmware version 7.0.7.2)
- GS110TPv3 (fixed in firmware version 7.0.7.2)
- GS110TUP (fixed in firmware version 1.0.5.3)
- GS308T (fixed in firmware version 1.0.3.2)
- GS310TP (fixed in firmware version 1.0.3.2)
- GS710TUP (fixed in firmware version 1.0.5.3)
- GS716TP (fixed in firmware version 1.0.4.2)
- GS716TPP (fixed in firmware version 1.0.4.2)
- GS724TPP (fixed in firmware version 2.0.6.3)
- GS724TPv2 (fixed in firmware version 2.0.6.3)
- GS728TPPv2 (fixed in firmware version 6.0.8.2)
- GS728TPv2 (fixed in firmware version 6.0.8.2)
- GS750E (fixed in firmware version 1.0.1.10)
- GS752TPP (fixed in firmware version 6.0.8.2)
- GS752TPv2 (fixed in firmware version 6.0.8.2)
- MS510TXM (fixed in firmware version 1.0.4.2)
- MS510TXUP (fixed in firmware version 1.0.4.2)
Two of the Vulnerabilities Explained
The three bugs have been dubbed Demon’s Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD).
According to Coldwind’s security report, the vulnerability called Demon’s Cries is an authentication bypass that could lead to the hacker being able to change the admin’s password, resulting in a complete compromise of the vulnerable device.
The security researcher’s report showed that SCC Control (NETGEAR Smart Control Center) is disabled by default, and must be manually enabled in the web UI (Security > Management Security > SCC Control).
The researcher also issued a PoC code that changes the password to “AlaMaKota1234.”
The vulnerability has been rated by Netgear with a CVSS score of 8.8 (High) but Coldwind had a different opinion assigning it a score of 9.8.
Network should be used even if the attacker is required to be on the same intranet to exploit the vulnerable system (e.g., the attacker can only exploit the vulnerability from inside a corporate network).
According to the advisory, the second vulnerability reported by the expert was dubbed Draconian Fear and is an authentication hijacking issue. This bug enables a cybercriminal with the same IP as a logging-in admin to hijack the session bootstrapping information, giving the attacker complete admin access to the device web UI and resulting in a full compromise of the device.
On September 13th, we will also have details about the third Vulnerability dubbed Seventh Inferno.