Netgear released fixes last week to address three security flaws in its smart switches that may be exploited by an attacker to take complete control of a vulnerable device.
The vulnerabilities, which Google security engineer Gynvael Coldwind discovered and reported to Netgear, affect a variety of models.
As per Coldwind, the flaws involve an authentication bypass, an authentication hijacking, and a third, yet-to-be-disclosed vulnerability that could allow an attacker to change the administrator password without knowing the previous password or hijack the session bootstrapping information, resulting in a complete device compromise.
Demon’s Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD) are the codenames for the three vulnerabilities.
Coldwind said in a write-up explaining the authentication bypass, “A funny bug related to authorization spawns from the fact that the password is obfuscated by being XORed with ‘NtgrSmartSwitchRock,”
“However, due to the fact that in the handler of TLV type 10 an strlen() is called on the still obfuscated password, it makes it impossible to authenticate correctly with a password that happens to have the same character as the phrase above at a given position.”
Draconian Fear, on the other hand, necessitates the attacker having the same IP address as the admin or being able to spoof the address in some way. In this case, the malicious party can utilise the fact that the Web UI only uses the IP address and an easily guessable “userAgent” string to flood the authentication endpoint with multiple requests, thereby “greatly increasing the odds of getting the session information before admin’s browser gets it.”
Due to the critical severity of the vulnerabilities, firms using the aforementioned Netgear switches are recommended to upgrade to the most recent version as soon as possible to mitigate the risk of exploitation.