Expert discloses details and PoC code for Netgear Seventh Inferno bug

Pierluigi Paganini September 18, 2021

A new critical vulnerability in Netgear smart switches can be exploited by an attacker to potentially execute malicious code and take over impacted devices.

Researchers provided technical details about a recently addressed critical vulnerability, dubbed Seventh Inferno, in Netgear smart switches that could be exploited by an attacker to potentially execute malicious code and take control of the affected devices.

The Seventh Inferno vulnerability received a CVSS score of 9.8, it was spotted with other two bugs, respectively tracked as Demon’s Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8).

The flaws were discovered by Google security engineer Gynvael Coldwind, Netgear addressed then early this month.

The flaws, tracked by the networking device vendor PSV-2021-0140, PSV-2021-0144, and PSV-2021-0145, impact the following models:

  • GC108P
  • GC108PP
  • GS108Tv3
  • GS110TPP
  • GS110TPv3
  • GS110TUP
  • GS308T
  • GS310TP
  • GS710TUP
  • GS716TP
  • GS716TPP
  • GS724TPP
  • GS724TPv2
  • GS728TPPv2
  • GS728TPv2
  • GS750E
  • GS752TPP
  • GS752TPv2
  • MS510TXM
  • MS510TXUP

Netgear has released security patches to fix them on September 3.

“NETGEAR just patched 3 reported vulnerabilities (Demon’s CriesDraconian Fear and Seventh Inferno) in some managed (smart) switches. If you or your company owns any of these devices, please patch now.” Coldwind explained.

“P.S. This vulnerability [Seventh Inferno] and exploit chain is actually quite interesting technically. In short, it goes from a newline injection in the password field, through being able to write a file with constant uncontrolled content of 2 (like, one byte 32h), through a DoS and session crafting (which yields an admin web UI user), to an eventual post-auth shell injection (which yields full root).”

The expert also released the PoC for this vulnerability, the code first reboots the switch, then fakes a new session and exploits the post-auth RCE.

NETGEAR urge its customers using the following products to download the latest firmware:

  • GC108P fixed in firmware version 1.0.8.2
  • GC108PP fixed in firmware version 1.0.8.2
  • GS108Tv3 fixed in firmware version 7.0.7.2
  • GS110TPP fixed in firmware version 7.0.7.2
  • GS110TPv3 fixed in firmware version 7.0.7.2
  • GS110TUP fixed in firmware version 1.0.5.3
  • GS308T fixed in firmware version 1.0.3.2
  • GS310TP fixed in firmware version 1.0.3.2
  • GS710TUP fixed in firmware version 1.0.5.3
  • GS716TP fixed in firmware version 1.0.4.2
  • GS716TPP fixed in firmware version 1.0.4.2
  • GS724TPP fixed in firmware version 2.0.6.3
  • GS724TPv2 fixed in firmware version 2.0.6.3
  • GS728TPPv2 fixed in firmware version 6.0.8.2
  • GS728TPv2 fixed in firmware version 6.0.8.2
  • GS750E fixed in firmware version 1.0.1.10
  • GS752TPP fixed in firmware version 6.0.8.2
  • GS752TPv2 fixed in firmware version 6.0.8.2
  • MS510TXM fixed in firmware version 1.0.4.2
  • MS510TXUP fixed in firmware version 1.0.4.2

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment