[BreachExchange] Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released

Thu Sep 16 08:35:05 EDT 2021

https://thehackernews.com/2021/09/third-critical-bug-affects-netgear.html

New details have been revealed about a recently remediated critical
vulnerability in Netgear smart switches that could be leveraged by an
attacker to potentially execute malicious code and take control of
vulnerable devices.

The flaw — dubbed "Seventh Inferno" (CVSS score: 9.8) — is part of a trio
of security weaknesses, called Demon's Cries (CVSS score: 9.8) and
Draconian Fear (CVSS score: 7.8), that Google security engineer Gynvael
Coldwind reported to the networking, storage, and security solutions
provider.

The disclosure comes weeks after NETGEAR released patches to address the
vulnerabilities earlier this month, on September 3.

Successful exploitation of Demon's Cries and Draconian Fear could grant a
malicious party the ability to change the administrator password without
actually having to know the previous password or hijack the session
bootstrapping information, resulting in a full compromise of the device.

Now, in a new post sharing technical specifics about Seventh Inferno,
Coldwind noted that the flaw relates to a newline injection flaw in the
password field during Web UI authentication, effectively enabling the
attacker to create fake session files, and combine it with a reboot Denial
of Service (DoS) and a post-authentication shell injection to get a fully
valid session and execute any code as root user, thereby leading to full
device compromise.

The reboot DoS is a technique designed to reboot the switch by exploiting
the newline injection to write "2" into three different kernel
configurations — "/proc/sys/vm/panic_on_oom," "/proc/sys/kernel/panic," and
"/proc/sys/kernel/panic_on_oops" — in a manner that causes the device to
compulsorily shut down and restart due to kernel panic when all the
available RAM is consumed upon uploading a large file over HTTP.

"This vulnerability and exploit chain is actually quite interesting
technically," Coldwind said. "In short, it goes from a newline injection in
the password field, through being able to write a file with constant
uncontrolled content of '2' (like, one byte 32h), through a DoS and session
crafting (which yields an admin web UI user), to an eventual post-auth
shell injection (which yields full root)."

The full list of models impacted by the three vulnerabilities is below —

   - GC108P (fixed in firmware version 1.0.8.2)
   - GC108PP (fixed in firmware version 1.0.8.2)
   - GS108Tv3 (fixed in firmware version 7.0.7.2)
   - GS110TPP (fixed in firmware version 7.0.7.2)
   - GS110TPv3 (fixed in firmware version 7.0.7.2)
   - GS110TUP (fixed in firmware version 1.0.5.3)
   - GS308T (fixed in firmware version 1.0.3.2)
   - GS310TP (fixed in firmware version 1.0.3.2)
   - GS710TUP (fixed in firmware version 1.0.5.3)
   - GS716TP (fixed in firmware version 1.0.4.2)
   - GS716TPP (fixed in firmware version 1.0.4.2)
   - GS724TPP (fixed in firmware version 2.0.6.3)
   - GS724TPv2 (fixed in firmware version 2.0.6.3)
   - GS728TPPv2 (fixed in firmware version 6.0.8.2)
   - GS728TPv2 (fixed in firmware version 6.0.8.2)
   - GS750E (fixed in firmware version 1.0.1.10)
   - GS752TPP (fixed in firmware version 6.0.8.2)
   - GS752TPv2 (fixed in firmware version 6.0.8.2)
   - MS510TXM (fixed in firmware version 1.0.4.2)
   - MS510TXUP (fixed in firmware version 1.0.4.2)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210916/a424ed62/attachment.html>