Pierluigi Paganini March 14, 2021

Netgear has released security and firmware updates for its JGS516PE Ethernet switch to address 15 vulnerabilities, including a critica remote code execution issue.

Netgear has released security and firmware updates to address 15 vulnerabilities in its JGS516PE Ethernet switch, including an unauthenticated remote code execution flaw rated as critical.

The flaws were discovered by researchers at NCC Group IT, most of them affect the NSDP protocol, which is still enabled for legacy reasons, to allow customers to use Prosafe Plus. 

The most severe flaw is a critical RCE tracked as CVE-2020-26919 and rated with a CVSS v3 score of 9.8, the remaining flaws are nine high-severity issues and a five medium-rated bugs.

The CVE-2020-26919 resides in the switch internal management web application in firmware versions prior to 2.6.0.43, it could be exploited by unauthenticated attackers to bypass authentication and execute actions with administrator privileges.

“The switch internal management web application in firmware versions prior to 2.6.0.43 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges.” reads the advisory published by NCC Group.”

“It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.”

Another vulnerability addressed by the vendor is an NSDP Authentication Bypass tracked as CVE-2020-35231 rated with CVSS v3 score of 8.8.

The Netgear Switch Management Protocol (NSDP) is a proprietary protocol used as discovery method with the ability to manage the switch configuration. The NSDP it is used by “Netgear Switch Discovery Tool” and “ProSafe Plus Configuration Utility” software. 

“A remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.” states the advisory.

Experts also found an Unauthenticated Firmware Update Mechanism tracked as CVE-2020-35220. The researchers discovered a TFTP server with the ability to update firmware that is active by default, it could allow external attackers to upload tainted firmware updates without requiring administrative credentials.

“An external attacker could use this vulnerability to upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to left the device bricked or even upload custom firmware files that may include malicious code, such as backdoors.” states the advisory.

Netgear published firmware updates for the JGS516PE switch on its website, the latest version available for download is 2.6.0.48.

Below the timeline for these vulnerabilities:

• 01 Sep 2020 – First contact with the vendor.
• 05 Sep 2020 – Vulnerabilities details reported to Netgear.
• 17 Sep 2020 – Netgear published a security advisory for the most critical issue.
• 29 Oct 2020 – Call with Netgear team to discuss vulnerabilities, CVSS ratings and remediation plan.
• 02 Dec 2020 – Netgear released the new firmware v2.6.0.48 including fixes for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233 and other minor issues. NCC Group was informed that there are no future plans to fix the other issues.
• 16 Dec 2021 – Start the process to coordinate the publication of this document.
• 11 Jan 2021 – First draft shared with Netgear.
• 27 Jan 2021 – Remediation actions were agreed. An initial paragraph reflecting Netgear’s posture was also added.
• 08 Mar 2021 – Technical Advisory published by NCC Group.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

[adrotate banner=”5″]

[adrotate banner=”13″]