Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution.
The following vulnerabilities were the most relevant identified during the internal research:
- Unauthenticated Remote Code Execution (CVE-2020-26919)
- NSDP Authentication Bypass (CVE-2020-35231)
- Unauthenticated Firmware Update Mechanism (CVE-2020-35220)
- TFTP Ineffective Firmware Checks (CVE-2020-35232)
- Unauthenticated Buffer Overflow (CVE-2020-35224)
- Insecure Password Hashing Mechanism (CVE-2020-35221)
- Authentication Token Reuse (CVE-2020-35229)
- Stored XSS in Language Settings (CVE-2020-35228)
- Buffer Overflow in IP Source Params (CVE-2020-35227)
- Unauthenticated Write Access to DHCP Configuration (CVE-2020-35226)
- Unauthenticated Access to Switch Configuration Parameters (CVE-2020-35222)
- TFTP Unexpected Behaviours (CVE-2020-35233)
- Multiple Integer Overflow Instances (CVE-2020-35230)
- Multiple Write Commands Buffer Overflow (CVE-2020-35225)
- Ineffective Cross Site Request Forgery Protections (CVE-2020-35223)
Netgear reported that most of the vulnerabilities affecting the NSDP protocol were known due to end-of-life years ago and it is still enabled for legacy reasons, for customers who preferred to use Prosafe Plus. Furthermore, we were informed that, due to hardware limitations, it is not possible to implement many of the standard encryption protocols, such as those needed to implement HTTPS.
Technical Advisories:
Unauthenticated Remote Code Execution (CVE-2020-26919)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: prior to 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-26919 Advisory URL: https://kb.netgear.com/000062334/Security-Advisory-for-Missing-Function-Level-Access-Control-on-JGS516PE-PSV-2020-0377 Severity: 9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The switch internal management web application in firmware versions prior to 2.6.0.43 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges.
Impact
Due to the ability of execute system commands through the “debug” web sections, a successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument.
The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
curl -X POST --data-raw 'submitId=debug debugCmd=sys+dump submitEnd=' 'http:///login.htm'
Recommendation
Update device firmware to version 2.6.0.43 or later.
NSDP Authentication Bypass (CVE-2020-35231)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35231 Severity: 8.8 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Netgear developed a network protocol to be a discovery method with the ability to manage the switch configuration. It is known as Netgear Switch Management Protocol (NSDP) and it is used by “Netgear Switch Discovery Tool” and “ProSafe Plus Configuration Utility” software. The implementantion of this protocol in the devices analised does not properly handle authentication packages and, under certain circunstances, can be abused to bypass authentication method.
Impact
A remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.
Details
The NSDP authentication process involves two steps: asking for a random token (0x17 command) and using it to generate a password hash that will be used to send authenticated requests (0x1a command).
The problem comes when the authenticated request is sent while the first step is skipped. When no other random number has been requested from last reboot it seems to be storeing an empty value and the system will accept as valid an empty authentication hash.
The following commands were used to restore the device to factory defaults (0x400) without knowing the administration password:
001a00000400000101ffff0000
Note that although it is required that no random token has been generated previously, multiple ways have been found to force a device reboot, effectively restoring the conditions to perform the current attack.
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.
Unauthenticated Firmware Update Mechanism (CVE-2020-35220)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35220 Severity: 8.3 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Summary
A TFTP server with the ability to update firmware was found to be active by default, allowing external attackers to upload custom firmware files without requiring administrative credentials.
Impact
An external attacker could use this vulnerability to upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to left the device bricked or even upload custom firmware files that may include malicious code, such as backdoors.
Details
The active TFTP server allows any external user to upload custom firmware files. As an example, it was possible to install a previous firmware version using this method:
$ atftp 192.168.0.239 tftp> put JGS516PE_GS116Ev2_V2.6.0.24.bin Sent 407581 bytes in 19.7 seconds
Recommendation
Update device firmware to version 2.6.0.48 or later.
TFTP Ineffective Firmware Checks (CVE-2020-35232)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35232 Severity: 8.1 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
The firmware update mechanism does not properly implements internal checks such as firmware length or checksum validations, allowing attackers to craft firmware files with the ability to overwrite the entire memory with custom code.
Impact
An attacker could use this situation to upload a custom firmware that overflow the firmware partition and overwrite all the memory content, including default or user defined configurations.
Details
The following flaws were detected:
- The file length is only validated using the corresponding firmware header, regardless of the real file length.
- The uploaded file is being written directly into the image partition, overwriting the previous information before being validated.
- The firmware max size allowed (0x17ff00) overflows the partition size (0xc0000)
- The serial port error displayed in the serial port when the CRC value does not match was used to reverse the implementation.
Recommendation
Update device firmware to version 2.6.0.48 or later.
Unauthenticated Buffer Overflow (CVE-2020-35224)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35224 Severity: 8.1 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
The implementation of the authentication command in Netgear Switch Management Protocol (NSDP) could be abused by sending a long parameter that will force a system reboot.
Impact
A remote unauthenticated attacker could use this vulnerability to execute a denial of service (DoS) attack by forcing continuous device reboots .
Details
The authentication command (0x1a) could be abused by sending a value with more than 8 bytes, causing a system reboot.
The following authentication message illustrates the problem including a value with only two more bytes than expected:
001a000affffffffffffffffffffffff0000
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.
Insecure Password Hashing Mechanism (CVE-2020-35221)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35221 Severity: 7.5 (High) - AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The hashing algorithm implemented for password authentication in NSDP was found to be insecure in many ways, allowing an attacker with access to a network capture to generate valid passwords or infer some parts of the original one.
Impact
Successful exploitation of this vulnerability will allow the external attacker to gain administrative access to the switch.
Details
The hashing algorithm used to send authenticated requests was affected by several weaknesses.
The first one is related to original password leakage. An attacker with access to network capture containing the random number (command 0x17) and password hash (command 0x1a) packets will be able to infere the following information:
- The first character could be retrieved from the 7th byte if the password length is less than 19.
- If the first character is known it is possible to know if second and third characters are the same.
- The last character could be retrieved when the password length%3 is equal to 1 (1, 4, 7, 10, …)
- It is possible to infer the password length in groups of 3 elements
The second issue is that the algorithm is vulnerable to collision attacks. As before, an attacker with access to a network capture will be able to generate multiple valid passwords that can be used in the same way than the original one in a short period of time.
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.
Authentication Token Reuse (CVE-2020-35229)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35229 Severity: 7.5 (High) - AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The random number used to generate the password hash in the NSDP protocol was not invalidated on every use. An attacker with access to the network will be able to obtain a valid hash and perform any request using a single authenticated packet.
Impact
NSDP does not implement protocol encryption so any intruder with the ability to intercept valid communications between user and device would be able to obtain a valid authentication token that can be used to perform any administrative actions.
Details
The random token (0x17 command) was not invalidated on each command execution, so an attacker with access to the network traffic will be able to reuse the same authentication hash multiple times by skipping the random number generation step.
This implementation invalidates the authentication procedure security, leaving the password hash in the same situation as if it were a clear-text password or session token.
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.
Stored XSS in Language Settings (CVE-2020-35228)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35228 Severity: 7.2 (High) - AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The switch management web application is not properly validating and encoding all of the configuration parameters, allowing attackers to inject malicious JavaScript code that will be executed on every rendered web page.
Impact
Due to the existance of CSRF issues, an external attacker could trick an administrator user to send malicious payloads to store JavaScript code with the ability to execute administrative requests or exfiltrate internal information.
Details
The selectLang parameter from multiLanguageCfg section was not properly validated and was found to be reflected in every web page of the control panel.
The following request could be used as a proof of concept:
POST /index.htm HTTP/1.1 Host: 192.168.0.239 User-Agent: (...snip...) Accept: (...snip...) Accept-Language: (...snip...) Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 158 Origin: http://192.168.0.239 Connection: close Referer: http://192.168.0.239/index.htm?0 Cookie: (...snip...) Upgrade-Insecure-Requests: 1 submitId=multiLanguageCfg selectLang=aaaa';alert(1);// multiLangFlag=0 RegisterStatus=0 registeredPopUp=0 changePwdPopUp=0 changePwd=0 confirmPwd=0 submitEnd=
Recommendation
Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.
Buffer Overflow in IP Source Params (CVE-2020-35227)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35227 Severity: 7.2 (High) - AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The delete functionality from “access control” section in management web application was not properly validating the length of its input parameters. One of the input parameters in that request could be abused to trigger a buffer overflow vulnerability.
Impact
A successful attack will allows an attacker to perform the inverse action, adding custom IP addresses to the access control list. It could also be abused to cause a system reboot.
Details
The delete action from access control functionality required the checkedList parameter, that is intended to contain a list of hosts ids to be removed from the whitelist.
This parameter can be abused to perform the inverse action and add IPs as can be shown below:
POST /config/maintenance_ip_source.htm HTTP/1.1 Host: 192.168.0.239 User-Agent: (...snip...) Accept: (...snip...) Accept-Language: (...snip...) Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 149 Origin: http://192.168.0.239 Connection: close Referer: http://192.168.0.239/config/maintenance_ip_source.htm Cookie: (...snip...) submitId=ipSource ipAddr=192.168.0.220 subnetmask=255.255.255.0 ipSrcAction=del checkedList=-999999999999999999999990123456789abcdefghijkl submitEnd=
Getting as a result the ip 97.98.99.100/101.102.103.104 being added to the access list.
Recommendation
Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.
Unauthenticated Write Access to DHCP Configuration (CVE-2020-35226)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35226 Severity: 7.1 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Summary
The DCHP configuration feature from NSDP protocol allows unauthenticated requests to retrieve the DHCP status but does not implement any access control for other input parameters. As a result the service could be configured remotely by unauthenticated users.
Impact
An attacker could force multiple DHCP requests or disable it, probably leading into a denial of service attack.
Details
The DHCP command (0x0b) can be queried with values from 0 to 3. The last value is used to know the DHCP status but it was also possible to send the other values to configure the DHCP settings by sending either 0 (disable) or 1 (enable) values.
The following command can be used to enable DHCP:
000b000101ffff0000
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.
Unauthenticated Access to Switch Configuration Parameters (CVE-2020-35222)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35222 Severity: 6.5 (Medium) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The NSDP protocol implemented in this device does not require authentication to query for configuration parameters when the protocol is active. When it is disabled it can be used to retrieve basic information such as IP, name, location or firmware versions. When it is enabled an unauthenticated user could use it to retrieve a full copy of its internal configuration.
Impact
The disclosure of this kind of information may be used to gain a greater understanding of the underlying technologies involved and tailor further attacks to these specific products.
Details
The NSDP protocol can not be fully disabled from this device and still allow to retrieve some information, such as system name, location, firmware version or serial number.
When remote management is enabled, every configuration parameter can be retrieved by requesting the corresponding command, with the exception of the system password. These requests do not require any form of authentication.
[-] Product Name (1): JGS516PE [-] Product Type (2): Smart Switch Without SNMP (0xb'0000') [-] System Name (3): Test5 [-] MAC Address (4): 38:94:ed:d0:b9:4a [-] Location (5): [-] IP Address (6): 192.168.0.239 [-] Network Mask (7): 255.255.255.0 [-] Gateway Address (8): 192.168.0.254 [-] DHCP Mode (11): Disabled (0xb'00') [-] FW Image Number (12): 0xb'02' [-] FW Version Image 1 (13): 2.6.0.43 [-] FW Version Image 2 (14): 2.6.0.48 [-] Active Image (15): Firmware 2 (0xb'02') ... [-] Port Statistics (4096): Port: 9, Bytes recv.: 62495, Bytes sent: 271979, Packets: 597, Broadcast: 67, Multicast: 38, CRC errors: 0 ... [-] VLAN Type (8192): Disabled (0xb'00') [-] VLAN Group Ports (9216): 2 [-] VLAN 802.1Q IDs (12288): Port: 1, VLAN_ID: 0 ... [-] QoS Type (13312): 802.1p Based (0xb'02') [-] QoS Ports (14336): Port: 1, Priority: Normal Priority ... [-] Broadcast Filtering Ports (22528): Port: 16, Rate: 512 Kb/sec [-] Port Mirroring (23552): Dest. Port: 0, Status?: 0x00, Src. Ports: None [-] Number of Ports (24576): 0xb'10'
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration. Even with the service disabled there is some information that can be retrieved so, to effectively mitigate this situation, it is recommend filtering traffic on UDP ports 63321 to 63324.
TFTP Unexpected Behaviours (CVE-2020-35233)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35233 Severity: 6.5 (Medium) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The switch operating system is not able to manage concurrent processes while performing any action with TFTP server, allowing to cause system reboots being another action executed while the system is being updated.
Impact
An attacker could make use of this vulnerability to force continuous device reboots that will leave the device unusable.
Details
The TFTP server and update process does not seem to be integrated with multitask operations. It was possible to cause system reboots just trying to load the web panel while a firmware update was in progress or even sending several TFTP requests at a time.
Recommendation
Update device firmware to version 2.6.0.48 or later and try to enable TFTP server only while performing a firmware update.
Multiple Integer Overflow Instances (CVE-2020-35230)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35230 Severity: 6.5 (Medium) - AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary
The web application did not correctly sanitize any of the integer parameters sent from the client. As a consequence, it was possible to trigger integer overflow vulnerabilities in almost every POST request involving this kind of parameters.
Impact
Successful exploitation of this issue will lead into system reboots and potentially may be exploited in certain circumstances to gain remote code execution.
Details
The following example illustrates the vulnerability by abusing the groupId parameter from Basic 802.1Q VLAN configuration to force a system reboot:
POST /config/portbased_basic.htm HTTP/1.1 Host: 192.168.0.239 User-Agent: (...snip...) Accept: (...snip...) Accept-Language: (...snip...) Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 158 Origin: http://192.168.0.239 Connection: close Referer: http://192.168.0.239/config/portbased_basic.htm Cookie: (...snip...) submitId=vlanPbMemCfg bPortBasedVLAN=Enable changeType=0 groupId=-12345678901234567890123456789012345678901234567890123456789012 memBMap=- 999999999 submitEnd=
Recommendation
Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.
Multiple Write Commands Buffer Overflow (CVE-2020-35225)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35225 Severity: 6.4 (Medium) - AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Summary
The implementation of write requests in NSDP protocol does not validate the input length in write command paramateres, generating a buffer overflow condition that can be used to execute denial of service attacks.
Impact
A remote attacker could use this vulnerability to force continuous system reboots or even gain full control of the device execution flow.
Details
Write commands involving string parameters, such as “System Name” (0x03) or “Location” (0x05), does not check input length, producing a device reboot if big parameters are sent.
The following request includes a system name modification command with a string of 0x1ff “A” characters that forces a device reboot:
001a0008XXXXXXXXXXXXXXXX000301ff(41x512)ffff0000
Recommendation
Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.
Ineffective Cross Site Request Forgery Protections (CVE-2020-35223)
Vendor: Netgear Inc. Vendor URL: https://www.netgear.com/ Versions affected: 2.6.0.43 Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2 Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com CVE Identifier: CVE-2020-35223 Severity: 6.3 (Medium) - AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
The management web application implements a random token named “secureRand“ to avoid CSRF attacks, but this security feature could be bypassed by removing that parameter from requests.
Impact
This could allow an attacker to manipulate a user into unwittingly performing administrative actions on behalf of the attacker.
Details
The web application implements a CSRF protection by including a random token (secureRand) in the source code of every web page generated.
It was found that POST requests does not require that parameter to be executed invalidating the CSRF prevention method.
As an example, the following HTTP snippet was created to perform a system reboot without requiring the CSRF token:
<script>history.pushState('', '', '/')</script> <form action="http://<IP>/config/maintenance_device_reboot.htm" method="POST"> <input type="hidden" name="submitId" value="sysReset"> <input type="hidden" name="reboot" value="1"> <input type="hidden" name="submitEnd" value=""> <input type="submit" value="Submit request"> </form>
Recommendation
Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.
Vendor Communication
- 01 Sep 2020 – First contact with the vendor.
- 05 Sep 2020 – Vulnerabilities details reported to Netgear.
- 17 Sep 2020 – Netgear published a security advisory for the most critical issue.
- 29 Oct 2020 – Call with Netgear team to discuss vulnerabilities, CVSS ratings and remediation plan.
- 02 Dec 2020 – Netgear released the new firmware v2.6.0.48 including fixes for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233 and other minor issues. NCC Group was informed that there are no future plans to fix the other issues.
- 16 Dec 2021 – Start the process to coordinate the publication of this document.
- 11 Jan 2021 – First draft shared with Netgear.
- 27 Jan 2021 – Remediation actions were agreed. An initial paragraph reflecting Netgear’s posture was also added.
- 08 Mar 2021 – Technical Advisory published by NCC Group.
Vendor communication was really smooth. Netgear team were extremely collaborative in the vulnerability disclosure process, to the point of organizing several calls to present their roadmap and discuss future actions. I would like to thank Netgear Team for their efforts and support throughout the process.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: March 8 2021
Written by: Manuel Ginés Rodríguez