Networking, storage and security solutions provider Netgear issued patches to address three security vulnerabilities affecting its smart switches that could be abused by an adversary to gain full control of a vulnerable device. Discovered and reported by Google security engineer Gynvael Coldwind, impact the following models –
The flaws concern an authentication bypass, an authentication hijacking, and a third as-yet-undisclosed vulnerability that could grant an attacker the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping information, resulting in a full compromise of the device.
The three vulnerabilities have been given the codenames Demon’s Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD). Companies relying on the Netgear switches are recommended to upgrade to the latest version as soon as possible to mitigate any potential exploitation risk.