Netgear Smart Switches has a critical flaw, earlier the company fixed two reported critical vulnerabilities that bad actors could use to potentially execute malicious code and take control of vulnerable devices.
Gynvael Coldwind, a Google security engineer, reported the flaws to the networking, storage, and security solutions provider. Dubbed as “Seventh Inferno” (CVSS score: 9.8) — is part of a trio of security weaknesses, called Demon’s Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8). The disclosure comes weeks after NETGEAR released patches to address these vulnerabilities on September 3.
Bad actors can end up exploiting the Demon’s Cries and Draconian Fear to grant a malicious party the ability to change the administrator password without having to know the previous password or hijack the session bootstrapping information, going onto compromising the entire device.
Coldwin in a post sharing technical specifics about Seventh Inferno said the flaw related to a newline injection flaw in the password field during Web UI authentication. This effectively enables the attacker to create fake session files to combine it with a reboot Denial of Service (DoS) and a post-authentication shell injection. This enables them to get a full valid session and execute any code as the root user, thereby leading to full device compromise.
The bad actors are able to use the reboot technique designed to reboot the switch by exploiting the newline injection to write “2” into three different kernel configurations —
[callout bg=’#c4c4c4′ radius=’5′ radius=’18’]”/proc/sys/vm/panic_on_oom,” “/proc/sys/kernel/panic,”
This causes the device to compulsorily shut down and restart due to kernel panic when all the available RAM is consumed upon uploading a large file over HTTP.
Coldwin further said, “This vulnerability and exploit chain is actually quite interesting technically. In short, it goes from a newline injection in the password field, through being able to write a file with constant uncontrolled content of ‘2’ (like, one byte 32h), through a DoS and session crafting (which yields an admin web UI user), to an eventual post-auth shell injection (which yields full root).”
List of models impacted by the three vulnerabilities
- GC108P (fixed in firmware version 18.104.22.168)
- GC108PP (fixed in firmware version 22.214.171.124)
- GS108Tv3 (fixed in firmware version 126.96.36.199)
- GS110TPP (fixed in firmware version 188.8.131.52)
- GS110TPv3 (fixed in firmware version 184.108.40.206)
- GS110TUP (fixed in firmware version 220.127.116.11)
- GS308T (fixed in firmware version 18.104.22.168)
- GS310TP (fixed in firmware version 22.214.171.124)
- GS710TUP (fixed in firmware version 126.96.36.199)
- GS716TP (fixed in firmware version 188.8.131.52)
- GS716TPP (fixed in firmware version 184.108.40.206)
- GS724TPP (fixed in firmware version 220.127.116.11)
- GS724TPv2 (fixed in firmware version 18.104.22.168)
- GS728TPPv2 (fixed in firmware version 22.214.171.124)
- GS728TPv2 (fixed in firmware version 126.96.36.199)
- GS750E (fixed in firmware version 188.8.131.52)
- GS752TPP (fixed in firmware version 184.108.40.206)
- GS752TPv2 (fixed in firmware version 220.127.116.11)
- MS510TXM (fixed in firmware version 18.104.22.168)
- MS510TXUP (fixed in firmware version 22.214.171.124)