Experts found 15 flaws in Netgear JGS516PE switch, including a critical RCE

Netgear has released security and firmware updates for its JGS516PE Ethernet switch to address 15 vulnerabilities, including a critica remote code execution issue.

Netgear has released security and firmware updates to address 15 vulnerabilities in its JGS516PE Ethernet switch, including an unauthenticated remote code execution flaw rated as critical.

The flaws were discovered by researchers at NCC Group IT, most of them affect the NSDP protocol, which is still enabled for legacy reasons, to allow customers to use Prosafe Plus.

The most severe flaw is a critical RCE tracked as CVE-2020-26919 and rated with a CVSS v3 score of 9.8, the remaining flaws are nine high-severity issues and a five medium-rated bugs.

The CVE-2020-26919 resides in the switch internal management web application in firmware versions prior to 2.6.0.43, it could be exploited by unauthenticated attackers to bypass authentication and execute actions with administrator privileges.

“The switch internal management web application in firmware versions prior to 2.6.0.43 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges.” reads the advisory published by NCC Group.”

“It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.”

Another vulnerability addressed by the vendor is an NSDP Authentication Bypass tracked as CVE-2020-35231 rated with CVSS v3 score of 8.8.

The Netgear Switch Management Protocol (NSDP) is a proprietary protocol used as discovery method with the ability to manage the switch configuration. The NSDP it is used by “Netgear Switch Discovery Tool” and “ProSafe Plus Configuration Utility” software.

“A remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.” states the advisory.

Experts also found an Unauthenticated Firmware Update Mechanism tracked as CVE-2020-35220. The researchers discovered a TFTP server with the ability to update firmware that is active by default, it could allow external attackers to upload tainted firmware updates without requiring administrative credentials.

“An external attacker could use this vulnerability to upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to left the device bricked or even upload custom firmware files that may include malicious code, such as backdoors.” states the advisory.

Netgear published firmware updates for the JGS516PE switch on its website, the latest version available for download is 2.6.0.48.

Below the timeline for these vulnerabilities:

01 Sep 2020 – First contact with the vendor.
05 Sep 2020 – Vulnerabilities details reported to Netgear.
17 Sep 2020 – Netgear published a security advisory for the most critical issue.
29 Oct 2020 – Call with Netgear team to discuss vulnerabilities, CVSS ratings and remediation plan.
02 Dec 2020 – Netgear released the new firmware v2.6.0.48 including fixes for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233 and other minor issues. NCC Group was informed that there are no future plans to fix the other issues.
16 Dec 2021 – Start the process to coordinate the publication of this document.
11 Jan 2021 – First draft shared with Netgear.
27 Jan 2021 – Remediation actions were agreed. An initial paragraph reflecting Netgear’s posture was also added.
08 Mar 2021 – Technical Advisory published by NCC Group.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.