Patch now! Netgear fixes serious smart switch vulnerabilities

In a security advisory, NetGear has announced it has fixed three vulnerabilities in firmware updates for several network devices. Most of the affected products are smart switches, some of them with cloud management capabilities that allow for configuring and monitoring them over the web.

One of the vulnerabilities was dubbed Demon’s Cries and is regarded as critically severe by the researchers that reported it. This vulnerability received a CVSS score of 9.8 out of 10 from the researchers, where NetGear only scored it at 8.8. NETGEAR’s argument is that it doesn’t deserve the higher rating since the attack cannot be done from the Internet or from outside of the LAN the device is attached to.

The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively. Bickering over CVSS scores is not helpful and should not be necessary. If you would like to know more about how this scoring works, I can recommend reading How CVSS works: characterizing and scoring vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These three vulnerabilities have each been assigned their own name, but have not been assigned CVE’s yet.

Demon’s Cries

I think this one is called critical for a reason, especially if an attacker has already gained access to the victim’s intranet. The vulnerability can lead to an authentication bypass which would allow the attacker to change the admin’s password (among other things), which would obviously result in a full compromise of the device.

The Netgear Switch Discovery Protocol (NSDP) is implemented by the /sqfs/bin/sccd daemon. When the daemon is set to enabled it allows configuration changes that require a type 10 password authentication. But the daemon does not enforce the password and accepts “set” commands where authentication can be omitted from the chain and in such case the password verification never takes place.

Draconian Fear

This vulnerability has been given a CVSS score of 7.8 by the researchers and 7.4 by NetGear. Both scores result in the classification “high”. The affected smart switches are vulnerable to authentication hijacking. It allows an attacker with the same IP address as an admin that is in the process of logging in to hijack the session bootstrapping information, giving the attacker full admin access to the device web UI and resulting in a full compromise of the device.

During the login process a session file is created that, among other things, contains username, password, and the name of the result file /tmp/sess/guiAuth_{http}_{clientIP}_{userAgent}. All an attacker needs is to be on the same IP and guess a number in the range 1-5 to take over the session. And a bit of timing. An attacker on the same IP as the admin can just flood the get.cgi with requests and snatch the session information as soon as it appears. The window between get.cgi requests on the browser is 1 second, so an automated attack can have a high success rate.

Seventh Inferno

Details on Seventh Inferno will be publish on or after 13th September. Security researcher Gynvael Coldwind, who found and reported the vulnerabilities, so far explained two of the issues and provided demo exploit code for them.

Mitigation

In the NetGear security advisory you can find a full list of affected smart switches. Since NetGear has patched these vulnerabilities and both the discussed vulnerabilities are relatively easy to apply, owners of these devices are advised to download and apply the latest firmware as soon as possible.