Netgear has released firmware updates to address high-severity vulnerabilities that affects over a dozen of its smart switches used on corporate networks.
The company fixed three security flaws that affect 20 Netgear products most of which are smart switches. Technical details and proof-of-concept (PoC) exploit code for two of the bugs are publicly available.
According to an advisory from Netgear, a new firmware version is available for some of its switches impacted by three security vulnerabilities that received severity scores between 7.4 and 8.8 on a scale of 10.
The bugs are identified as PSV-2021-0140, PSV-2021-0144, PSV-2021-0145, as tracking numbers have yet to be assigned. Many of the affected products are smart switches, some of them with cloud management capabilities that allow configuring and monitoring them over the web.
- GC108P (latest firmware version: 184.108.40.206)
- GC108PP (latest firmware version: 220.127.116.11)
- GS108Tv3 (latest firmware version: 18.104.22.168)
- GS110TPP (latest firmware version: 22.214.171.124)
- GS110TPv3 (latest firmware version: 126.96.36.199)
- GS110TUP (latest firmware version: 188.8.131.52)
- GS308T (latest firmware version: 184.108.40.206)
- GS310TP (latest firmware version: 220.127.116.11)
- GS710TUP (latest firmware version: 18.104.22.168)
- GS716TP (latest firmware version: 22.214.171.124)
- GS716TPP (latest firmware version: 126.96.36.199)
- GS724TPP (latest firmware version: 188.8.131.52)
- GS724TPv2 (latest firmware version: 184.108.40.206)
- GS728TPPv2 (latest firmware version: 220.127.116.11)
- GS728TPv2 (latest firmware version: 18.104.22.168)
- GS750E (latest firmware version: 22.214.171.124)
- GS752TPP (latest firmware version: 126.96.36.199)
- GS752TPv2 (latest firmware version: 188.8.131.52)
- MS510TXM (latest firmware version: 184.108.40.206)
- MS510TXUP (latest firmware version: 220.127.116.11)
The company recommends the users to download the latest firmware as soon as possible.
The security researcher Gynvael Coldwind, who found and reported the vulnerabilities, explained two of the issues and provided demo exploit code for them.
In his security report, Coldwind says that one of the flaws, which he calls Demon’s Cries, is an authentication bypass that could, under certain conditions, allow an attacker to take control of a vulnerable device.
A prerequisite for exploiting this bug is that the Netgear Smart Control Center (SCC) feature is active. By default, they are turned off.
The severity score given by Netgear for this bug is 8.8, as an attacker should be on the local network to be able to exploit it.
However, the researcher disagrees and marks the severity of this vulnerability as critical at 9.8. He argues that the specifications for version 3.1 of the Common Vulnerability Scoring System notes that the Attack Vector: Network (over the internet) should be used even for the intranet attacks:
But, a remote attacker would need the help of a user on the network to exploit the flaw. This drops the severity security score to 8.8.
The second vulnerability that Coldwind detailed got the name Draconian Fear and he defines it as an “authentication hijacking.” The description accounts for an attack where a threat actor would need the same IP address as an admin to “hijack the session bootstrapping information.”
So, an attacker would have full admin access to the device’s web user interface, giving them complete control over the device.
Details about the third vulnerability, which is named Seventh Inferno, will be available later.