Netgear’s smart switches, which govern the access and control rights of various parts of an organization’s network, were recently found to contain three serious bugs. Netgear was quick to address this issue and released 3 patches to resolve the vulnerabilities on Friday.
Netgear is a renowned computer networking company offering storage, security, and networking solutions to organizations.
The security vulnerabilities allowed the attackers to gain unauthorized control of the target device.
It was Google’s security engineer Gynvael Coldwind who detected and reported the flaws to Netgear. The models affected by this flaw include:
- GC108P (fixed in firmware version 1.0.8.2)
- GS108Tv3 (fixed in firmware version 7.0.7.2)
- GC108PP (fixed in firmware version 1.0.8.2)
- GS110TPP (fixed in firmware version 7.0.7.2)
- GS110TUP (fixed in firmware version 1.0.5.3)
- GS110TPv3 (fixed in firmware version 7.0.7.2)
- GS308T (fixed in firmware version 1.0.3.2)
- GS310TP (fixed in firmware version 1.0.3.2)
- GS710TUP (fixed in firmware version 1.0.5.3)
- GS716TPP (fixed in firmware version 1.0.4.2)
- GS716TP (fixed in firmware version 1.0.4.2)
- GS724TPP (fixed in firmware version 2.0.6.3)
- GS724TPv2 (fixed in firmware version 2.0.6.3)
- GS728TPv2 (fixed in firmware version 6.0.8.2)
- GS728TPPv2 (fixed in firmware version 6.0.8.2)
- GS752TPP (fixed in firmware version 6.0.8.2)
- GS750E (fixed in firmware version 1.0.1.10)
- GS752TPv2 (fixed in firmware version 6.0.8.2)
- MS510TXUP (fixed in firmware version 1.0.4.2)
- MS510TXM (fixed in firmware version 1.0.4.2)
Two vulnerabilities allowed authentication hijacking and authentication bypass, and another flaw allowed attackers to change the device’s password, lockout the original owner, and gain full control of the device.
The three vulnerabilities have been named Draconian Fear (CVSS score: 7.8), Demon’s Cries (CVSS score: 9.8), and Seventh Inferno (TBD).
“A funny bug related to authorization spawns from the fact that the password is obfuscated by being XORed with ‘NtgrSmartSwitchRock,” Coldwind said explaining the authentication bypass. “However, due to the fact that in the handler of TLV type 10 an strlen() is called on the still obfuscated password, it makes it impossible to authenticate correctly with a password that happens to have the same character as the phrase above at a given position.”
However, Draconian Fear can only be exploited if the attacker has the same IP address as the user or somehow imitating the original IP address. The web user interface largely depends on the IP address and userAgent. This increases the attacker’s chances of accessing that session’s information before the admin’s browser can.
Considering the severity of this vulnerability, companies using affected Netgear switches have been advised to upgrade to the latest version as soon as possible.
