Home>Blog>The Hacker News Headlines>Critical Auth Bypass Bug Affect NETGEAR Smart Switches — Patch and PoC Released
The Hacker News Headlines

Critical Auth Bypass Bug Affect NETGEAR Smart Switches — Patch and PoC Released

Networking, storage and security solutions provider Netgear on
Friday issued patches[1]
to address three security vulnerabilities affecting its smart
switches that could be abused by an adversary to gain full control
of a vulnerable device.

The flaws, which were discovered and reported to Netgear by
Google security engineer Gynvael Coldwind, impact the following
models –

  • GC108P (fixed in firmware version 1.0.8.2)
  • GC108PP (fixed in firmware version 1.0.8.2)
  • GS108Tv3 (fixed in firmware version 7.0.7.2)
  • GS110TPP (fixed in firmware version 7.0.7.2)
  • GS110TPv3 (fixed in firmware version 7.0.7.2)
  • GS110TUP (fixed in firmware version 1.0.5.3)
  • GS308T (fixed in firmware version 1.0.3.2)
  • GS310TP (fixed in firmware version 1.0.3.2)
  • GS710TUP (fixed in firmware version 1.0.5.3)
  • GS716TP (fixed in firmware version 1.0.4.2)
  • GS716TPP (fixed in firmware version 1.0.4.2)
  • GS724TPP (fixed in firmware version 2.0.6.3)
  • GS724TPv2 (fixed in firmware version 2.0.6.3)
  • GS728TPPv2 (fixed in firmware version 6.0.8.2)
  • GS728TPv2 (fixed in firmware version 6.0.8.2)
  • GS750E (fixed in firmware version 1.0.1.10)
  • GS752TPP (fixed in firmware version 6.0.8.2)
  • GS752TPv2 (fixed in firmware version 6.0.8.2)
  • MS510TXM (fixed in firmware version 1.0.4.2)
  • MS510TXUP (fixed in firmware version 1.0.4.2)

According to Coldwind, the flaws concern an authentication
bypass, an authentication hijacking, and a third as-yet-undisclosed
vulnerability that could grant an attacker the ability to change
the administrator password without actually having to know the
previous password or hijack the session bootstrapping information,
resulting in a full compromise of the device.

The three vulnerabilities have been given the codenames Demon’s
Cries[2] (CVSS score: 9.8),
Draconian Fear[3]
(CVSS score: 7.8), and Seventh Inferno (TBD).

“A funny bug related to authorization spawns from the fact that
the password is obfuscated by being XORed with
‘NtgrSmartSwitchRock,” Coldwind said in a write-up explaining the
authentication bypass. “However, due to the fact that in the
handler of TLV type 10 an strlen() is called on the still
obfuscated password, it makes it impossible to authenticate
correctly with a password that happens to have the same character
as the phrase above at a given position.”

Draconian Fear, on the other hand, requires the attacker to
either have the same IP address as the admin or be able to spoof the address[4]
through other means. In such a scenario, the malicious party can
take advantage of the fact that the Web UI relies only on the IP
and a trivially guessable “userAgent[5]” string to flood the
authentication endpoint with multiple requests, thereby “greatly
increasing the odds of getting the session information before
admin’s browser gets it.”

In light of the critical nature of the vulnerabilities,
companies relying on the aforementioned Netgear switches are
recommended to upgrade to the latest version as soon as possible to
mitigate any potential exploitation risk.

References

  1. ^
    issued
    patches     (kb.netgear.com)
  2. ^
    Demon’s
    Cries     (gynvael.coldwind.pl)
  3. ^
    Draconian Fear
    (gynvael.coldwind.pl)
  4. ^
    spoof
    the address     (en.wikipedia.org)
  5. ^
    userAgent
    (developer.mozilla.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.