The Netgear ProSafe Plus Configuration Utility exposes password information via the configuration backup file.
CWE-200 - Information Exposure
The Netgear ProSafe Plus Configuration Utility provides a feature to back up switch configuration. In the backup file, the device password is clearly visible in plaintext.
An unauthenticated attacker with access to the configuration backup file may be able to retrieve the administrative password to the device.
The CERT/CC is currently unaware of a practical solution to this problem.
Network administrators choosing to use configuration backup files should ensure that they are not accessible to unauthorized users.
Vendor| Status| Date Notified| Date Updated
Netgear, Inc.| | 25 Jul 2014| 02 Sep 2014
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | 2.9 | AV:A/AC:M/Au:N/C:P/I:N/A:N
Temporal | 2.8 | E:F/RL:U/RC:C
Environmental | 2.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND
This document was written by Joel Land.