Networking, storage and security solutions provider Netgear on Friday issued patches to address three security vulnerabilities affecting its smart switches that could be abused by an adversary to gain full control of a vulnerable device.
The flaws, which were discovered and reported to Netgear by Google security engineer Gynvael Coldwind, impact the following models -
- GC108P (fixed in firmware version 1.0.8.2)
- GC108PP (fixed in firmware version 1.0.8.2)
- GS108Tv3 (fixed in firmware version 7.0.7.2)
- GS110TPP (fixed in firmware version 7.0.7.2)
- GS110TPv3 (fixed in firmware version 7.0.7.2)
- GS110TUP (fixed in firmware version 1.0.5.3)
- GS308T (fixed in firmware version 1.0.3.2)
- GS310TP (fixed in firmware version 1.0.3.2)
- GS710TUP (fixed in firmware version 1.0.5.3)
- GS716TP (fixed in firmware version 1.0.4.2)
- GS716TPP (fixed in firmware version 1.0.4.2)
- GS724TPP (fixed in firmware version 2.0.6.3)
- GS724TPv2 (fixed in firmware version 2.0.6.3)
- GS728TPPv2 (fixed in firmware version 6.0.8.2)
- GS728TPv2 (fixed in firmware version 6.0.8.2)
- GS750E (fixed in firmware version 1.0.1.10)
- GS752TPP (fixed in firmware version 6.0.8.2)
- GS752TPv2 (fixed in firmware version 6.0.8.2)
- MS510TXM (fixed in firmware version 1.0.4.2)
- MS510TXUP (fixed in firmware version 1.0.4.2)
According to Coldwind, the flaws concern an authentication bypass, an authentication hijacking, and a third as-yet-undisclosed vulnerability that could grant an attacker the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping information, resulting in a full compromise of the device.
The three vulnerabilities have been given the codenames Demon's Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD).
"A funny bug related to authorization spawns from the fact that the password is obfuscated by being XORed with 'NtgrSmartSwitchRock," Coldwind said in a write-up explaining the authentication bypass. "However, due to the fact that in the handler of TLV type 10 an strlen() is called on the still obfuscated password, it makes it impossible to authenticate correctly with a password that happens to have the same character as the phrase above at a given position."
Draconian Fear, on the other hand, requires the attacker to either have the same IP address as the admin or be able to spoof the address through other means. In such a scenario, the malicious party can take advantage of the fact that the Web UI relies only on the IP and a trivially guessable "userAgent" string to flood the authentication endpoint with multiple requests, thereby "greatly increasing the odds of getting the session information before admin's browser gets it."
In light of the critical nature of the vulnerabilities, companies relying on the aforementioned Netgear switches are recommended to upgrade to the latest version as soon as possible to mitigate any potential exploitation risk.