Netgear issues patches for vulnerabilities impacting its smart switches

Netgear addresses three security vulnerabilities impacting its smart switches through patches. These could be exploited by a threat actor to fully control a vulnerable device.

Google security engineer Gynvael Coldwind identified the flaws and notified Netgear of the same. These impact the listed models –

• GC108P (fixed in firmware version 1.0.8.2)
• GC108PP (fixed in firmware version 1.0.8.2)
• GS108Tv3 (fixed in firmware version 7.0.7.2)
• GS110TPP (fixed in firmware version 7.0.7.2)
• GS110TPv3 (fixed in firmware version 7.0.7.2)
• GS110TUP (fixed in firmware version 1.0.5.3)
• GS308T (fixed in firmware version 1.0.3.2)
• GS310TP (fixed in firmware version 1.0.3.2)
• GS710TUP (fixed in firmware version 1.0.5.3)
• GS716TP (fixed in firmware version 1.0.4.2)
• GS716TPP (fixed in firmware version 1.0.4.2)
• GS724TPP (fixed in firmware version 2.0.6.3)
• GS724TPv2 (fixed in firmware version 2.0.6.3)
• GS728TPPv2 (fixed in firmware version 6.0.8.2)
• GS728TPv2 (fixed in firmware version 6.0.8.2)
• GS750E (fixed in firmware version 1.0.1.10)
• GS752TPP (fixed in firmware version 6.0.8.2)
• GS752TPv2 (fixed in firmware version 6.0.8.2)
• MS510TXM (fixed in firmware version 1.0.4.2)
• MS510TXUP (fixed in firmware version 1.0.4.2)

Coldwind states that the flaws concern an authentication bypass, an authentication hijacking, and an undisclosed flaw that could enable an attacker to change the administrator password without knowing the previous password or takeover the session bootstrapping information, leading to the complete exploitation of the device.

The three vulnerabilities are named Demon’s Cries, Draconian Fear, and Seventh Inferno (TBD). In order to explain the authentication bypass, Coldwind termed it to be a funny bug linked to authorization issues from the fact that the password is mystified by being XORed with ‘NtgrSmartSwitchRock. He further stated that as the handler of TLV type 10 and strlen() is called on the obfuscated password, it is not possible to authenticate with a password that has the same character as the above phrase at a given point.

Draconian Fear necessitates the attacker to have the same IP address as the admin or use IP spoofing. In such a case, the attacker can take advantage as the Web UI relies only on the IP and a userAgent string which is guessable to overflow the authentication endpoint with a number of requests. This increases the chances of getting the session information before the admin’s browser.

Also read: Millions of Bluetooth-enabled devices vulnerable

Due to the criticality of the vulnerabilities, it’s advised that the companies relying on the above-mentioned Netgear switches upgrade to the latest version at the earliest to get rid of any exploitation risk.