Netgear ProSafe Plus Configuration Utility writes out plaintext passwords to backup configuration files

Overview

The Netgear ProSafe Plus Configuration Utility exposes password information via the configuration backup file.

Description

CWE-200** - Information Exposure**

The Netgear ProSafe Plus Configuration Utility provides a feature to back up switch configuration. In the backup file, the device password is clearly visible in plaintext.

---

Impact

An unauthenticated attacker with access to the configuration backup file may be able to retrieve the administrative password to the device.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

---

Network administrators choosing to use configuration backup files should ensure that they are not accessible to unauthorized users.

---

Vendor Information

396212

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Netgear, Inc. Affected

Notified: July 25, 2014 Updated: September 02, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	2.9	AV:A/AC:M/Au:N/C:P/I:N/A:N
Temporal	2.8	E:F/RL:U/RC:C
Environmental	2.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://kb.netgear.com/app/answers/detail/a_id/12048/~/prosafe-plus-switches-faq&gt;
• <http://cwe.mitre.org/data/definitions/200.html&gt;

Acknowledgements

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2014-4864
Date Public:	2014-09-08 Date First Published: