
Networking, storage and security solutions provider Netgear issued patches to address three security vulnerabilities affecting its smart switches that could be abused by an adversary to gain full control of a vulnerable device. Discovered and reported by Google security engineer Gynvael Coldwind, impact the following models –
- GC108P
- GC108PP
- GS108Tv3
- GS110TPP
- GS110TPv3
- GS110TUP
- GS308T
- GS310TP
- GS710TUP
- GS716TP
- GS716TPP
- GS724TPv2
- GS728TPPv2
- GS728TPv2
- GS750E
- GS752TPP
- GS752TPv2
- MS510TXM
- MS510TXUP
The flaws concern an authentication bypass, an authentication hijacking, and a third as-yet-undisclosed vulnerability that could grant an attacker the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping information, resulting in a full compromise of the device.
The three vulnerabilities have been given the codenames Demon’s Cries (CVSS score: 9.8), Draconian Fear (CVSS score: 7.8), and Seventh Inferno (TBD). Companies relying on the Netgear switches are recommended to upgrade to the latest version as soon as possible to mitigate any potential exploitation risk.
1 thought on “Authentication Bypass – NetGear Switches”