Network admins also offered mitigation advice for numerous other unpatched vulnerabilities
UPDATED The most serious of a raft of security vulnerabilities found in two Netgear ProSAFE Plus networking switches could lead to unauthenticated remote code execution (RCE) on affected devices.
Organizations using models JGS516PE and GS116Ev2 have been urged to update their systems after security researchers from NCC Group uncovered 15 flaws in the devices’ firmware.
However, Netgear, a networking products vendor, told researchers that it cannot fix several vulnerabilities affecting the Netgear Switch Discovery Protocol (NSDP), including five high-risk flaws, “due to hardware limitations” that preclude the implementation of many “standard encryption protocols”, according to an NCC Group technical advisory published on March 8.
Steps for preventing exploitation have been provided instead.
The bugs “were known due to end-of-life years ago”, but the NSDP protocol “is still enabled for legacy reasons”, explained NCC Group IT security consultant Manuel Ginés Rodríguez.
The RCE bug (CVE-2020-26919), which has a critical CVSS score of 9.8, arose because the switch internal management web application “failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges”, said the researcher.
NCC Group “found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument”.
RCE was possible because the login.html webpage failed to implement restrictions for executing debug actions.
Making a hash of it
The most serious high-risk flaw (CVE-2020-35231), with a CVSS 8.8, allowed for an authentication bypass of NSDP when the discovery protocol, which manages switch configurations, failed to request a random token that subsequently generates a password hash for authenticated requests.
“When no other random number has been requested from last reboot it seems to be [storing] an empty value and the system will accept as valid an empty authentication hash,” added Rodríguez.
As a result, “a remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.”
In the absence of a fix for this and several other high and medium severity bugs, network admins are advised to “leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.”
Netgear said a fix will also not be forthcoming for a high-risk stored cross-site scripting bug (CVE-2020-35228) and a buffer overflow vulnerability (CVE-2020-35227) in its network switch admin web panel.
Instead, network admins should deploy switches behind firewalls, restrict web management access to known hosts and exercise “extreme caution” when using the application “due to the lack of protocol encryption”.
Another noteworthy high-risk flaw (CVE-2020-35220) with a CVSS of 8.3 meant unauthenticated attackers could “upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to [leave] the device bricked or even upload custom firmware files that may include malicious code, such as backdoors”.
“Our findings highlight the importance of building security into the development life cycle, as introducing changes into legacy software at a later stage can be very difficult,” Rodríguez told The Daily Swig.
“Proactivity in terms of testing and addressing security issues early in the development process, along with the ongoing application of security practices such as bug bounty programmes, can go a long way towards improving the security of devices on a long-term basis.”
All flaws apply only to version 22.214.171.124 save for the RCE bug, which only affects prior releases.
NCC Group, a UK-headquartered cybersecurity firm, alerted the vendor on September 1, 2020, and provided vulnerability details on September 5.
Netgear published a security advisory for the most critical issue on September 17 and rolled out firmware v126.96.36.199 remedying the other flaws on December 2.
“Vendor communication was really smooth” and the “Netgear team were extremely collaborative in the vulnerability disclosure process,” concluded Rodríguez.
The Daily Swig has also contacted Netgear with additional questions and we will update the article accordingly if we receive a response.
This article was updated on March 15 with additional comments from Manuel Gines Rodríguez of NCC Group.