Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released


New details have been revealed about a recently remediated critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices.

The flaw — dubbed “Seventh Inferno” (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demon’s Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8), that Google security engineer Gynvael Coldwind reported to the networking, storage, and security solutions provider.

The disclosure comes weeks after NETGEAR released patches to address the vulnerabilities earlier this month, on September 3.

Successful exploitation of Demon’s Cries and Draconian Fear could grant a malicious party the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping information, resulting in a full compromise of the device.

Now, in a new post sharing technical specifics about Seventh Inferno, Coldwind noted that the flaw relates to a newline injection flaw in the password field during Web UI authentication, effectively enabling the attacker to create fake session files, and combine it with a reboot Denial of Service (DoS) and a post-authentication shell injection to get a fully valid session and execute any code as root user, thereby leading to full device compromise.

The reboot DoS is a technique designed to reboot the switch by exploiting the newline injection to write “2” into three different kernel configurations — “/proc/sys/vm/panic_on_oom,” “/proc/sys/kernel/panic,” and “/proc/sys/kernel/panic_on_oops” — in a manner that causes the device to compulsorily shut down and restart due to kernel panic when all the available RAM is consumed upon uploading a large file over HTTP.

“This vulnerability and exploit chain is actually quite interesting technically,” Coldwind said. “In short, it goes from a newline injection in the password field, through being able to write a file with constant uncontrolled content of ‘2’ (like, one byte 32h), through a DoS and session crafting (which yields an admin web UI user), to an eventual post-auth shell injection (which yields full root).”

The full list of models impacted by the three vulnerabilities is below —

  • GC108P (fixed in firmware version
  • GC108PP (fixed in firmware version
  • GS108Tv3 (fixed in firmware version
  • GS110TPP (fixed in firmware version
  • GS110TPv3 (fixed in firmware version
  • GS110TUP (fixed in firmware version
  • GS308T (fixed in firmware version
  • GS310TP (fixed in firmware version
  • GS710TUP (fixed in firmware version
  • GS716TP (fixed in firmware version
  • GS716TPP (fixed in firmware version
  • GS724TPP (fixed in firmware version
  • GS724TPv2 (fixed in firmware version
  • GS728TPPv2 (fixed in firmware version
  • GS728TPv2 (fixed in firmware version
  • GS750E (fixed in firmware version
  • GS752TPP (fixed in firmware version
  • GS752TPv2 (fixed in firmware version
  • MS510TXM (fixed in firmware version
  • MS510TXUP (fixed in firmware version

Products You May Like

Articles You May Like

Microsoft Admits Security Failings Allowed China to Access US Government Emails
How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe
Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
UK General Election: Tech Policy Expert Calls for Law Overhaul to Combat Deepfakes
Phishing Attacks Targeting US and European Organizations Double

Leave a Reply

Your email address will not be published. Required fields are marked *