Netgear ProSafe Plus Configuration Utility writes out plaintext passwords to backup configuration files

2014-09-08T00:00:00
ID VU:396212
Type cert
Reporter CERT
Modified 2014-09-08T00:00:00

Description

Overview

The Netgear ProSafe Plus Configuration Utility exposes password information via the configuration backup file.

Description

CWE-200 - Information Exposure

The Netgear ProSafe Plus Configuration Utility provides a feature to back up switch configuration. In the backup file, the device password is clearly visible in plaintext.


Impact

An unauthenticated attacker with access to the configuration backup file may be able to retrieve the administrative password to the device.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Network administrators choosing to use configuration backup files should ensure that they are not accessible to unauthorized users.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Netgear, Inc.| | 25 Jul 2014| 02 Sep 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 2.9 | AV:A/AC:M/Au:N/C:P/I:N/A:N
Temporal | 2.8 | E:F/RL:U/RC:C
Environmental | 2.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • <http://kb.netgear.com/app/answers/detail/a_id/12048/~/prosafe-plus-switches-faq>
  • <http://cwe.mitre.org/data/definitions/200.html>

Credit

This document was written by Joel Land.

Other Information

  • CVE IDs: CVE-2014-4864
  • Date Public: 08 Sep 2014
  • Date First Published: 08 Sep 2014
  • Date Last Updated: 08 Sep 2014
  • Document Revision: 13