Netgear is a multinational computer networking company that produces networking hardware for consumers, businesses, and service providers. Netgear identified three high severity vulnerabilities and patched them recently, affecting its wide range of products. Most of these affected products are smart switches, some of them with cloud management capabilities allowing configuring and monitoring them over the internet. These three vulnerabilities have been named Demon’s Cries, Draconian Fear, and Seventh Inferno by the researcher who discovered them.
Details
- Demon’s Cries
Demon’s Cries is an authentication bypass vulnerability and can allow an attacker to take complete control of a vulnerable device. A feature in Netgear devices called Netgear Smart Control Center (SCC) needs to be turned on for exploiting this vulnerability. By default, it’s turned off. This vulnerability has received a CVSSv3 score of 8.8 by vendor, although the researcher insists the severity of this vulnerability should be 9.8 and nothing less.
- Draconian Fear
The second flaw, referred to as Draconian Fear, can also allow an attacker to take complete control of a vulnerable device. The researcher refers to this vulnerability as “authentication hijacking,” where an attacker would need the same IP address as an admin to “hijack the session bootstrapping information.” The researcher further explains, “The obvious limiting factor here is the requirement for the attacker to either have the same IP as the admin (foothold on the same machine with limited privileges, same source NAT IP, etc.) or being able to spoof the IP with various low-level network shenanigans, as well winning a race condition with a 1-second window (pretty easy actually)“. This vulnerability has received a CVSSv3 score between 7.4 and 8.8 by the vendor, but the researcher has given it 7.8.
- Seventh Inferno
The details about this flaw are not disclosed and are expected to be available on or after 13th September 2021. This vulnerability has also received a CVSSv3 score between 7.4 and 8.8 by the vendor.
Affected
Following NETGEAR smart switch models are affected by these vulnerabilities:
- GC108P
- GC108PP
- GS108Tv3
- GS110TPP
- GS110TPv3
- GS110TUP
- GS308T
- GS310TP
- GS710TUP
- GS716TP
- GS716TPP
- GS724TPP
- GS724TPv2
- GS728TPPv2
- GS728TPv2
- GS750E
- GS752TPP
- GS752TPv2
- MS510TXM
- MS510TXUP
PoC
The publicly available technical details and proof-of-concept (POC) exploit code for Demon’s Cries and Draconian Fear.
Impact
An attacker can bypass authentication and take control of a vulnerable device.
Solution
Netgear has released a fix for these vulnerabilities in the latest firmware versions.
- GC108P fixed in firmware version 1.0.8.2
- GC108PP fixed in firmware version 1.0.8.2
- GS108Tv3 fixed in firmware version 7.0.7.2
- GS110TPP fixed in firmware version 7.0.7.2
- GS110TPv3 fixed in firmware version 7.0.7.2
- GS110TUP fixed in firmware version 1.0.5.3
- GS308T fixed in firmware version 1.0.3.2
- GS310TP fixed in firmware version 1.0.3.2
- GS710TUP fixed in firmware version 1.0.5.3
- GS716TP fixed in firmware version 1.0.4.2
- GS716TPP fixed in firmware version 1.0.4.2
- GS724TPP fixed in firmware version 2.0.6.3
- GS724TPv2 fixed in firmware version 2.0.6.3
- GS728TPPv2 fixed in firmware version 6.0.8.2
- GS728TPv2 fixed in firmware version 6.0.8.2
- GS750E fixed in firmware version 1.0.1.10
- GS752TPP fixed in firmware version 6.0.8.2
- GS752TPv2 fixed in firmware version 6.0.8.2
- MS510TXM fixed in firmware version 1.0.4.2
- MS510TXUP fixed in firmware version 1.0.4.2
We recommend users of these products install the necessary Netgear security updates mentioned in the advisory as soon as possible to stay protected.