Netgear Smart Switches Open to Complete Takeover

[silversurfer]

Three severe Netgear vulnerabilities, codenamed Demon’s Cries, Draconian Fear and Seventh Inferno by the researcher that found them, affect 20 of the company’s managed smart switches and could allow an attacker to take them over.
 
The bugs were patched on Friday with zero technical details made available, but the researcher has now released more details on the first two. Details on the third, Seventh Inferno, will be published after Sept. 13, he said. Netgear tracks the bugs as PSV-2021-0140, PSV-2021-0144 and PSV-2021-0145, but CVEs are pending for all three.
 
If exploited, the gear could allow cyberattackers to gain administrative privileges and completely take over the device, gaining the ability to disrupt corporate communications as well as to pivot to move laterally throughout an enterprise network.
 
The Demon’s Cries bug carries a CVSS severity-rating score of 8.8, making it high severity.
 
According to the researcher, who goes by “Gynvael Coldwind,” an exploit would allow an authentication bypass, resulting in the attacker accessing an admin’s password and achieving full compromise of the device.
 
The researcher said that the issue exists within the Netgear Switch Discovery Protocol (NSDP), which is implemented by the sqfs/bin/sccd daemon (hence the flaw’s name).
 
“The protocol itself is UDP-based and each datagram consists of a 32-byte header, followed by a Type/Length/Value chain, with each TLV consisting of a four-byte header (two bytes Type, two bytes Length), followed by the Value bytes,” Coldwind explained in his posting, issued Monday.

Read more: Netgear Smart Switches Open to Complete Takeover | Threatpost