[BreachExchange] Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks

[Destry Winant]

https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expose-organizations-attacks

Security researchers have identified multiple vulnerabilities in
ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the
most severe of which could allow a remote, unauthenticated attacker to
execute arbitrary code.

A total of 15 vulnerabilities affecting Netgear switches that use the
ProSAFE Plus configuration utility were found to expose users to
various risks, according to researchers with IT security firm NCC
Group.

The most important of these bugs is CVE-2020-26919, an unauthenticated
remote code execution flaw rated critical severity (CVSS score of
9.8).

Affecting firmware versions prior to 2.6.0.43, the bug is related to
the internal management web application not implementing the correct
access controls, which could allow attackers to bypass authentication
and run code with the privileges of the administrator.

“Due to the ability of execute system commands through the ‘debug’ web
sections, a successful exploitation of this vulnerability can lead to
remote code execution on the affected device,” NCC Group notes.

The researchers also discovered that the Netgear Switch Discovery
Protocol (NSDP), a network protocol functioning as a discovery method
that also allows for switch management, fails to properly handle
authentication packages, thus leading to authentication bypasses
(CVE-2020-35231, CVSS score of 8.8).

An attacker able to exploit this vulnerability “could execute any
management actions in the device, including wiping the configuration
by executing a factory restoration,” the researchers say.

NCC Group says that Netgear has informed them that the NSDP has
reached end of life (EOL) and that none of the issues identified in it
will be addressed. Users are advised to disable the remote management
feature.

“Netgear reported that most of the vulnerabilities affecting the NSDP
protocol were known due to end-of-life years ago and it is still
enabled for legacy reasons, for customers who preferred to use Prosafe
Plus. Furthermore, we were informed that, due to hardware limitations,
it is not possible to implement many of the standard encryption
protocols, such as those needed to implement HTTPS,” NCC Group notes.

The researchers also found issues with the firmware update mechanism
on the vulnerable switches. One of them, CVE-2020-35220 (CVSS score of
8.3), could allow attackers to upload custom firmware files without
administrative rights.

The second issue (CVE-2020-35232, CVSS score of 8.1) resides in the
improper implementation of internal checks, which could allow
attackers to craft firmware files that could “overwrite the entire
memory with custom code.”

Other high-severity vulnerabilities in Netgear’s switches could lead
to denial of service (CVE-2020-35224, CVSS score 8.1), or could allow
an attacker to generate valid passwords (CVE-2020-35221, CVSS score
7.5) or perform requests using a single authenticated packet
(CVE-2020-35229, CVSS score 7.5).

A stored XSS issue in language settings (CVE-2020-35228, CVSS score
7.2) could be abused to inject JavaScript code that would be executed
on all webpages, while a buffer overflow (CVE-2020-35227, CVSS score
7.2) could be abused to cause a system reboot, among others.

Another vulnerability in the NSDP protocol, the researchers
discovered, could be abused to retrieve the DHCP status without
authentication, thus allowing remote users to configure the service,
likely leading to denial of service (CVE-2020-35226, CVSS score 7.1).

The security researchers also identified a series of medium-severity
flaws, such as unauthenticated access to switch configuration
parameters (CVE-2020-35222), TFTP unexpected behavior
(CVE-2020-35233), integer overflow instances (CVE-2020-35230), write
command buffer overflows (CVE-2020-35225), and ineffective cross-site
request forgery protections (CVE-2020-35223).

In December 2020, Netgear released firmware version 2.6.0.48, which
includes patches for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233,
and other issues. The remaining issues won’t receive patches, the
researchers say.