Details on 2 of the 3 Vulnerabilities Released
Gynvael Coldwind, a security researcher on Google’s security team, has identified three critical vulnerabilities affecting several Netgear smart switch products that, if exploited, give the attacker complete control over the compromised device. Netgear has issued a security advisory confirming that it has issued patches for 20 Netgear products affected by these vulnerabilities.
I’ve published the reports for 2 of 3 recently patched NETGEAR vulnerabilities:https://t.co/RW8ufNBP2Ihttps://t.co/fXNUVuldh7
1st is just an auth bypass, but the 2nd – while not that risky – is pretty fun (in a facepalm kind of way).
3rd will be published on Sept 13th.
— Gynvael Coldwind (@gynvael) September 6, 2021
The CVEs for these vulnerabilities have not yet been assigned, but Coldwin calls the three vulnerabilities Demon’s Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and the yet to be published Seventh Inferno. Details of the Seventh Inferno vulnerability will be published on or after Sept. 13, Coldwin says.
Understanding the Vulnerabilities
Demon’s Cries is an authentication bypass vulnerability that can only be exploited when the targeted Netgear switch’s Smart Control Center is enabled. “Thankfully this feature is not enabled by default,” says Coldwin.
Netgear’s advisory describes this as a high-severity vulnerability with a CVSS score of 8.8, but Coldwin rates it as 9.8.
The reason for the differences is that Netgear set the Attack Vector to Adjacent while calculating the criticality of the flaw. Netgear says that since the attack cannot be conducted from the internet or from outside of the LAN to which the device is connected, the Attack Vector will remain Adjacent.
But Coldwin argues that although this is technically correct, “The attacker can only exploit the vulnerability from inside a corporate network,” which eventually means “network should be used” and so the vector should be assigned as “Network.”
The second vulnerability, which the researcher calls Draconian Fear, is an authentication hijacking vulnerability. This vulnerability requires an attacker to be on the same IP address as the administrator’s local IP address to hijack it, Coldwin says.
The other way to exploit this vulnerability is by spoofing the IP address through various other low-level techniques, Coldwin writes. “An attacker on the same IP as the administrator can just flood the get.cgi [handler that accepts the client IP, http or https schema, and user agent type, and opens the status file to check the status] with requests and snatch the session information as soon as it appears.”
He further explains that the interval between two get.cgi requests on the browser – 1 second – is enough time an attacker to send multiple requests, which increases the probability of snatching the session information before the administrator’s browser gets it.
In the tests that Coldwin conducted, he successfully executed this method and got the session information 9 out of 10 times.
Following is a list of all Netgear products that are affected and the corresponding firmware versions in which they have been fixed:
- GC108P – Fixed in firmware version 126.96.36.199;
- GC108PP – Fixed in firmware version 188.8.131.52;
- GS108Tv3 – Fixed in firmware version 184.108.40.206;
- GS110TPP – Fixed in firmware version 220.127.116.11;
- GS110TPv3 – Fixed in firmware version 18.104.22.168;
- GS110TUP – Fixed in firmware version 22.214.171.124;
- GS308T – Fixed in firmware version 126.96.36.199;
- GS310TP – Fixed in firmware version 188.8.131.52;
- GS710TUP – Fixed in firmware version 184.108.40.206;
- GS716TP – Fixed in firmware version 220.127.116.11;
- GS716TPP – Fixed in firmware version 18.104.22.168;
- GS724TPP – Fixed in firmware version 22.214.171.124;
- GS724TPv2 – Fixed in firmware version 126.96.36.199;
- GS728TPPv2 – Fixed in firmware version 188.8.131.52;
- GS728TPv2 – Fixed in firmware version 184.108.40.206;
- GS750E – Fixed in firmware version 220.127.116.11;
- GS752TPP- Fixed in firmware version 18.104.22.168;
- GS752TPv2 – Fixed in firmware version 22.214.171.124;
- MS510TXM – Fixed in firmware version 126.96.36.199;
- MS510TXUP – Fixed in firmware version 188.8.131.52.
Netgear recommends its customers download the update from its Netgear Support Center, where all recommended measures and steps are described. “The multiple vulnerabilities remain if you do not complete all recommended steps. Netgear is not responsible for any consequences that could have been avoided by following the recommendations,” the company warns.