Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Netgear Smart Switches Open to Complete Takeover
#1
Information 
Quote:Three severe Netgear vulnerabilities, codenamed Demon’s Cries, Draconian Fear and Seventh Inferno by the researcher that found them, affect 20 of the company’s managed smart switches and could allow an attacker to take them over.
 
The bugs were patched on Friday with zero technical details made available, but the researcher has now released more details on the first two. Details on the third, Seventh Inferno, will be published after Sept. 13, he said. Netgear tracks the bugs as PSV-2021-0140, PSV-2021-0144 and PSV-2021-0145, but CVEs are pending for all three.
 
If exploited, the gear could allow cyberattackers to gain administrative privileges and completely take over the device, gaining the ability to disrupt corporate communications as well as to pivot to move laterally throughout an enterprise network.
 
The Demon’s Cries bug carries a CVSS severity-rating score of 8.8, making it high severity.
 
According to the researcher, who goes by “Gynvael Coldwind,” an exploit would allow an authentication bypass, resulting in the attacker accessing an admin’s password and achieving full compromise of the device.
 
The researcher said that the issue exists within the Netgear Switch Discovery Protocol (NSDP), which is implemented by the sqfs/bin/sccd daemon (hence the flaw’s name).
 
“The protocol itself is UDP-based and each datagram consists of a 32-byte header, followed by a Type/Length/Value chain, with each TLV consisting of a four-byte header (two bytes Type, two bytes Length), followed by the Value bytes,” Coldwind explained in his posting, issued Monday.

Read more: Netgear Smart Switches Open to Complete Takeover | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>