Netgear has released security and firmware updates to address 15 vulnerabilities in its JGS516PE Ethernet switch, including an unauthenticated remote code execution flaw rated as critical.
The flaws were discovered by researchers at NCC Group IT, most of them affect the NSDP protocol, which is still enabled for legacy reasons, to allow customers to use Prosafe Plus.
The most severe flaw is a critical RCE tracked as CVE-2020-26919 and rated with a CVSS v3 score of 9.8, the remaining flaws are nine high-severity issues and a five medium-rated bugs.
The CVE-2020-26919 resides in the switch internal management web application in firmware versions prior to 18.104.22.168, it could be exploited by unauthenticated attackers to bypass authentication and execute actions with administrator privileges.
“The switch internal management web application in firmware versions prior to 22.214.171.124 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges.” reads the advisory published by NCC Group.”
“It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.”
Another vulnerability addressed by the vendor is an NSDP Authentication Bypass tracked as CVE-2020-35231 rated with CVSS v3 score of 8.8.
The Netgear Switch Management Protocol (NSDP) is a proprietary protocol used as discovery method with the ability to manage the switch configuration. The NSDP it is used by “Netgear Switch Discovery Tool” and “ProSafe Plus Configuration Utility” software.
“A remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.” states the advisory.
Experts also found an Unauthenticated Firmware Update Mechanism tracked as CVE-2020-35220. The researchers discovered a TFTP server with the ability to update firmware that is active by default, it could allow external attackers to upload tainted firmware updates without requiring administrative credentials.
“An external attacker could use this vulnerability to upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to left the device bricked or even upload custom firmware files that may include malicious code, such as backdoors.” states the advisory.
Netgear published firmware updates for the JGS516PE switch on its website, the latest version available for download is 126.96.36.199.
Below the timeline for these vulnerabilities:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Netgear)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.