Netgear has posted a firmware release for more than a dozen of its smart switches utilized on corporate Networks to address high-severity vulnerabilities. The company fixed three security bugs that harm 20 Netgear products, generally smart switches. Technical information and proof-of-concept (PoC) exploit code for multiple of the bugs are publicly available.

Harmed Netgear Devices

An advisory from Netgear on Friday informs that advanced firmware versions are available for some of its switches affected by three security vulnerabilities that received severity scores between 7.4 and 8.8 on a scale of 10.

Netgear also identifies the flaws as PSV-2021-0140, PSV-2021-0145, as tracking numbers have yet to be assigned. Many of the harmed products are smart switches, some of them with cloud management abilities that permit configuring and observing them over the web.

• GC108P (latest firmware version: 1.0.8.2)
• GC108PP (latest firmware version: 1.0.8.2)
• GS108Tv3 (latest firmware version: 7.0.7.2)
• GS110TPP (latest firmware version: 7.0.7.2)
• GS110TPv3 (latest firmware version: 7.0.7.2)
• GS110TUP (latest firmware version: 1.0.5.3)
• GS308T (latest firmware version: 1.0.3.2)
• GS310TP (latest firmware version: 1.0.3.2)
• GS710TUP (latest firmware version: 1.0.5.3)
• GS716TP (latest firmware version: 1.0.4.2)
• GS716TPP (latest firmware version: 1.0.4.2)
• GS724TPP (latest firmware version: 2.0.6.3)
• GS724TPv2 (latest firmware version: 2.0.6.3)
• GS728TPPv2 (latest firmware version: 6.0.8.2)
• GS728TPv2 (latest firmware version: 6.0.8.2)
• GS750E (latest firmware version: 1.0.1.10)
• GS752TPP (latest firmware version: 6.0.8.2)
• GS752TPv2 (latest firmware version: 6.0.8.2)
• MS510TXM (latest firmware version: 1.0.4.2)
• MS510TXUP (latest firmware version: 1.0.4.2)    

Netgear’s advisory leaves out any technical information about the flaws but “actively suggests that you download the latest firmware as soon as possible.”

Abusing the Flaws

Security researchers, who identify and reported the vulnerabilities, today described two of the concerns and provided demo exploit code for them. Security researchers also mention in his report that one of the bugs, which the researchers call Demon’s Cries, is an authentication avoid that could, under certain conditions, permit the threat actor to take control of a vulnerable device.

An essential thing for exploiting this flaw is that Netgear Smart Control Center (SCC) feature is active. Default configurations have it turned off. Netgear calculated a severity score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A: H) for this vulnerability, seeing that an attacker should be on the local network (Attack Vector: Adjacent) to be able to exploit it.

The researcher disagrees and marks the hardness of this vulnerability as critical at 9.8. He argues that the specifications for version 3.1 of the Common Vulnerability Scoring System note that the Attack Vector: Network (over the internet) should be used even for the intranet attacks:

“Network should be used even if the attacker is required to be on the same intranet to exploit the unprotected system (e.g., the attacker can only exploit the vulnerability from inside a corporate network).”

However, a remote attacker would need the help of a user on the network (e.g. access a website with malicious code executed through the web browser to target the unprotected switch) to misuse the flaw. This drops the hardness security score to 8.8.

The second vulnerability that Coldwind detailed today got the name Draconian Fear and is what he defines as an “authentication hijacking (for lack of a better term).” The information accounts for an attack where a threat actor would require the same IP address as an admin to “hijack the session bootstrapping information.”

As a result, the attacker would have full admin access to the device’s web user interface, giving them full control over the device.