June 7, 2023

Details emerging about a recent critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices.

The flaw dubbed Seventh Inferno (CVSS score: 9.8) is part of a trio of security weaknesses, called Demon’s Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8).

Successful exploitation of could grant a malicious party the ability to change the administrator password without actually having to know the previous password or hijack the session bootstrapping info, resulting in a full compromise of the device.

The issue relates to a newline injection flaw in the password field during Web UI authentication, effectively enabling the attacker to create fake session files, and combine it with a reboot (DoS) and a post-authentication shell injection to get a fully valid session and execute any code as root user, thereby leading to full device compromise.

The reboot DoS is a technique designed to reboot the switch by exploiting the newline injection to write “2” into three different kernel configurations “/proc/sys/vm/panic_on_oom,” “/proc/sys/kernel/panic,” and “/proc/sys/kernel/panic_on_oops” in a manner that causes the device to compulsorily shut down and restart due to kernel panic when all the available RAM is consumed upon uploading a large file over HTTP.

Tags:

Leave a Reply

You may have missed

Synk Platform Enhancements

Synk Platform Enhancements

June 7, 2023
Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
%d bloggers like this: