Netgear Smart Switch Flaws
Three critical Netgear vulnerabilities, dubbed Demon's Cries, Draconian Fear and Seventh Inferno, affect 20 Netgear managed, smart switches and could allow a complete take over. The flaws were patched on Friday without any technical details. Finally the researchers who discovered the flaws have released some details on the first two. Netgear is tracking the bugs but CVEs are pending for all three. If exploited, the equipment could allow hackers administrative privileges and complete take over of the devices. This will give the hackers the ability to disrupt corporate communications as well as allowing them to move laterally throughout an enterprise network.
The researcher, known as Gynvael Coldwind, explained that an exploit would allow an authentication bypass which would give a hacker access of the admin's password and compromise the device. The issue exists within the Netgear Switch Discovery Protocol ( NSDP ), which is implemented by the sqfs/bin/sccd daemon. The protocol is UDP-based and each datagram consists of a 32-byte header, followed by a Type/Length/Value chain, with each TLV consisting of a four-byte header ( two bytes Type, two bytes Length ), followed by the Value bytes.
By analyzing Netgear's administration tools, Coldwind found that any set,/b> commands require a password-authentication TLV to be first in the datagram. The sccd daemon on this device doesn't enforce this, the type 10 TLV can be omitted from the chain and neither the password verification doesn't happen nor is is required by any of the set TLV handlers. As an example, a set command that changes the password on an account to the one specified in the value portion of the header can be sent. A hacker would need to already have a foothold on the same corporate network as the target device in order to exploit the vulnerable system. Also, the switch must have Netgear's Smart Control Center enabled, which it is by default.
The second bug is only exploitable if the attack occurs while an admin is in the process of logging in. A hacker with the same IP as an admin who is logging in, can hijack the session bootstrapping information, giving the hacker full admin access to the device web UI. The bug exists because in Netgear's web UI authentication logic, the browser first sends the login information using the set.cgi function, and then polls get.cgi to get the session ID. However, get.cgi doesn't verify if the polling party is the same as the party that sent in the login information. There's no session cookie that links the set.cgi and get.cgi requests together. To exploit the flaw, a hacker on the same IP as the admin can just flood the get.cgi function with requests and steal the session information when it appears.
Netgear gear have had a series of authentication flaws in the past, especially when it comes to their routers. For example, three firmware flaws in the DGN-2200v1 series router were discovered in July. They can enable authentication bypass to take over devices and access stored credentials using a side-channel attack. Last year, researchers discovered an unpatched zero-day vulnerability in firmware that put 80 Netgear device models at risk for full takeover. Netgear chose to leave 45 models unpatched because they were outdated or had reached their end of life.