Breach Notification , Endpoint Security , Governance & Risk Management

Netgear Fixes Critical Flaws Affecting Smart Switches

Details on 2 of the 3 Vulnerabilities Released
Netgear Fixes Critical Flaws Affecting Smart Switches

Gynvael Coldwind, a security researcher on Google’s security team, has identified three critical vulnerabilities affecting several Netgear smart switch products that, if exploited, give the attacker complete control over the compromised device. Netgear has issued a security advisory confirming that it has issued patches for 20 Netgear products affected by these vulnerabilities.

See Also: Rapid Digitization and Risk: A Roundtable Preview

The CVEs for these vulnerabilities have not yet been assigned, but Coldwin calls the three vulnerabilities Demon’s Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and the yet to be published Seventh Inferno. Details of the Seventh Inferno vulnerability will be published on or after Sept. 13, Coldwin says.

Understanding the Vulnerabilities

Demon’s Cries is an authentication bypass vulnerability that can only be exploited when the targeted Netgear switch’s Smart Control Center is enabled. “Thankfully this feature is not enabled by default,” says Coldwin.

Netgear’s advisory describes this as a high-severity vulnerability with a CVSS score of 8.8, but Coldwin rates it as 9.8.

The reason for the differences is that Netgear set the Attack Vector to Adjacent while calculating the criticality of the flaw. Netgear says that since the attack cannot be conducted from the internet or from outside of the LAN to which the device is connected, the Attack Vector will remain Adjacent.

But Coldwin argues that although this is technically correct, “The attacker can only exploit the vulnerability from inside a corporate network,” which eventually means “network should be used” and so the vector should be assigned as “Network.”

The second vulnerability, which the researcher calls Draconian Fear, is an authentication hijacking vulnerability. This vulnerability requires an attacker to be on the same IP address as the administrator’s local IP address to hijack it, Coldwin says.

The other way to exploit this vulnerability is by spoofing the IP address through various other low-level techniques, Coldwin writes. “An attacker on the same IP as the administrator can just flood the get.cgi [handler that accepts the client IP, http or https schema, and user agent type, and opens the status file to check the status] with requests and snatch the session information as soon as it appears.”

He further explains that the interval between two get.cgi requests on the browser - 1 second - is enough time an attacker to send multiple requests, which increases the probability of snatching the session information before the administrator’s browser gets it.

In the tests that Coldwin conducted, he successfully executed this method and got the session information 9 out of 10 times.

Affected Products

Following is a list of all Netgear products that are affected and the corresponding firmware versions in which they have been fixed:

  • GC108P - Fixed in firmware version 1.0.8.2;
  • GC108PP - Fixed in firmware version 1.0.8.2;
  • GS108Tv3 - Fixed in firmware version 7.0.7.2;
  • GS110TPP - Fixed in firmware version 7.0.7.2;
  • GS110TPv3 - Fixed in firmware version 7.0.7.2;
  • GS110TUP - Fixed in firmware version 1.0.5.3;
  • GS308T - Fixed in firmware version 1.0.3.2;
  • GS310TP - Fixed in firmware version 1.0.3.2;
  • GS710TUP - Fixed in firmware version 1.0.5.3;
  • GS716TP - Fixed in firmware version 1.0.4.2;
  • GS716TPP - Fixed in firmware version 1.0.4.2;
  • GS724TPP - Fixed in firmware version 2.0.6.3;
  • GS724TPv2 - Fixed in firmware version 2.0.6.3;
  • GS728TPPv2 - Fixed in firmware version 6.0.8.2;
  • GS728TPv2 - Fixed in firmware version 6.0.8.2;
  • GS750E - Fixed in firmware version 1.0.1.10;
  • GS752TPP- Fixed in firmware version 6.0.8.2;
  • GS752TPv2 - Fixed in firmware version 6.0.8.2;
  • MS510TXM - Fixed in firmware version 1.0.4.2;
  • MS510TXUP - Fixed in firmware version 1.0.4.2.

Netgear recommends its customers download the update from its Netgear Support Center, where all recommended measures and steps are described. “The multiple vulnerabilities remain if you do not complete all recommended steps. Netgear is not responsible for any consequences that could have been avoided by following the recommendations,” the company warns.


About the Author

Mihir Bagwe

Mihir Bagwe

Senior Correspondent, Global News Desk

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.