According to the vendor, Netgear ProSafe is a cost-effective line of smart switches for Small and Medium Businesses (SMBs). The products cover an essential set of network features and easy-to-use web-based management. Power over Ethernet (PoE) and Stacking versions are also available.
A range of ProSafe switches are affected by two different vulnerabilities: CVE-2013-4775: Unauthenticated startup-config disclosure. CVE-2013-4776: Denial of Service vulnerability.
GS724Tv3 and GS716Tv2 - firmware 220.127.116.11 GS724Tv3 and GS716Tv2 - firmware 18.104.22.168 GS748Tv4 - firmware 22.214.171.124 GS510TP - firmware 126.96.36.199 GS752TPS and GS728TPS - firmware 188.8.131.52 GS728TS and GS725TS - firmware 184.108.40.206 GS752TXS and GS728TXS - firmware 220.127.116.11
GS724Tv3 and GS716Tv2 - firmware 18.104.22.168 GS724Tv3 and GS716Tv2 - firmware 22.214.171.124 GS748Tv4 - firmware 126.96.36.199 GS510TP - firmware 188.8.131.52
The list below describes the vulnerabilities discovered in the affected software.
4.1 CVE-2013-4775: Unauthenticated startup-config disclosure
The web management application fails to restrict URL access to different application areas. Remote, unauthenticated attackers could exploit this issue to download the device’s startup-config, which contains administrator credentials in encrypted form.
[Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/startup-config
4.2 CVE-2013-4776: Denial of Service vulnerability
The affected products are prone to a Denial of Service vulnerability. Remote, unauthenticated attackers could exploit this issue to cause a switch reboot or crash, resulting in a loss of network connectivity for all devices connected to the switch.
[Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/
Implementation of a Proof of Concept for both vulnerabilities can be found here: http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz
No firmware updates or fixes have been released yet. As a mitigation, the vendor recommends configuring a separate management VLAN and configure access control via “Security::Access::Access Control” or “Security::ACL::Advanced::IP Extended Rules”.
The vulnerabilities were originally discovered in a GS724Tv3 device, by Juan J. Gьelfo at Encripto AS. E-mail: post [at] encripto [dot] no Web: http://www.encripto.no
Special thanks to Maarten Hoogcarspel and the Netgear Support Team for verifying other switch models, and considering possible fixes.
For more information about Encripto’s research policy, please visit http://www.encripto.no/forskning/
The material presented in this document is for educational purposes only. Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material. The reader is the only one responsible for applying this knowledge, which is at his / her own risk. Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners.