Netgear has released security and firmware updates to address 15 vulnerabilities in its JGS516PE Ethernet switch, including an unauthenticated remote code execution flaw rated as critical.
The flaws were discovered by researchers at NCC Group IT, most of them affect the NSDP protocol, which is still enabled for legacy reasons, to allow customers to use Prosafe Plus.
The most severe flaw is a critical RCE tracked as CVE-2020-26919 and rated with a CVSS v3 score of 9.8, the remaining flaws are nine high-severity issues and a five medium-rated bugs.
The CVE-2020-26919 resides in the switch internal management web application in firmware versions prior to 220.127.116.11, it could be exploited by unauthenticated attackers to bypass authentication and execute actions with administrator privileges.
“The switch internal management web application in firmware versions prior to 18.104.22.168 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges.” reads the advisory published by NCC Group.”
“It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.”
Another vulnerability addressed by the vendor is an NSDP Authentication Bypass tracked as CVE-2020-35231 rated with CVSS v3 score of 8.8.
The Netgear Switch Management Protocol (NSDP) is a proprietary protocol used as discovery method with the ability to manage the switch configuration. The NSDP it is used by “Netgear Switch Discovery Tool” and “ProSafe Plus Configuration Utility” software.
“A remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.” states the advisory.
Experts also found an Unauthenticated Firmware Update Mechanism tracked as CVE-2020-35220. The researchers discovered a TFTP server with the ability to update firmware that is active by default, it could allow external attackers to upload tainted firmware updates without requiring administrative credentials.
“An external attacker could use this vulnerability to upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to left the device bricked or even upload custom firmware files that may include malicious code, such as backdoors.” states the advisory.
Netgear published firmware updates for the JGS516PE switch on its website, the latest version available for download is 22.214.171.124.
Below the timeline for these vulnerabilities:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Netgear)