Feral Terror vulnerability (some NETGEAR smart switches)
2021-05-10 09:12:13 Author: feedproxy.google.com(查看原文) 阅读量:178 收藏

Name of the vulnerability - Feral Terror - in a red horror-style font on stained black background

TL;DR: If you have any of these NETGEAR managed (smart) switches, you should upgrade your firmware now.

Photo of a NETGEAR GS110TPv3 switch.

NETGEAR GS110TPv3 switch (photo by NETGEAR)
  • GC108P
  • GC108PP
  • GS108Tv3
  • GS110TPPv1
  • GS110TPv3
  • GS110TUPv1
  • GS710TUPv1
  • GS716TP
  • GS716TPP
  • GS724TPPv1
  • GS724TPv2
  • GS728TPPv2
  • GS728TPv2
  • GS752TPPv1
  • GS752TPv2
  • MS510TXM
  • MS510TXUP

NETGEAR's advisory can be found here: Security Advisory for Pre-Authentication Command Injection Vulnerability on Some Smart Switches.

CVSS, CVE, etc

Some human readable details are in the next section.

  • Vulnerability Codename: Feral Terror
  • Vendor-specific ID: PSV-2021-0071
  • CVE: Not assigned (yet?)
  • CVSS: 8.8 (High), CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Patch Diff Risk: High

Details

Important: Full report will be published on or after May 17th (this post will be updated).

Important: The overall code quality of the firmware is rather bad. Check if your device supports OpenWRT – it's way better than NETGEAR's firmware on these devices.

Due to the Feral Terror vulnerability a LAN-based attacker can run any Linux shell commands without any authorization as root.

This means that an attacker that already got a foothold in LAN (or is an insider) can use Feral Terror either for persistence (i.e. even if they go off the local network, they will still maintain access to the LAN via the hacked switch), or to reconfigure the switch (e.g. relax VLAN configuration, or setup port mirroring).

While I wasn't able to make this attack a reflected one (i.e. in-LAN-user enters a website; website uses user's browser to hack the in-LAN switch) in the limited time I spent on this, I couldn't fully rule it out either, so please upgrade the firmware regardless if you're worried or not of the in-LAN scenario.

In case the switch is accessible directly via an Internet IP address, please patch NOW!

See NETGEAR's advisory on how to upgrade the firmware.

Timeline

2021-02-11: Vulnerability discovered. Trying to find a non-bugcrowd security contact point at NETGEAR.
2021-02-12: Reached out to NETGEAR asking where to report.
2021-02-13: Vulnerability reported.
2021-03-19: Communication regarding reporting process.
2021-03-23: Communication regarding reporting process.
2021-03-24: Followed up with models of devices I deemed affected.
2021-05-07: Advisory published on NETGEAR's page.
2021-05-07: Followed up with a question about CVE assignment.
2021-05-10: Publication of this blog post.
2021-05-17: [Tentative] Publication of detailed report.

FAQ

What's up with that vulnerability name?
Please assume it's a mix of my sense of humor and a tongue-in-cheek satire on naming vulnerabilities :). The name was generated using the Metal Band Name Generator.
On the flip side - if more people patch thanks to a vulnerability having a funny/scary name, then I'm all for it!

How bad is Feral Terror?
It's one step short of critical if you own one of these devices. The thing that dampens the damage is that these switches are usually located inside a LAN, so wide spread Internet attacks are unlikely. That being said, in case there is a way for an attacker to send a packet directly or indirectly to the switch, it would give them a stable and immediate code execution with full privileges. My advise would be to upgrade the firmware regardless, just in case.

What will the report published on 17th May contain?
It will be the original report I've sent to NETGEAR that includes precise details of the vulnerability and a PoC exploit.

How likely is it that adversaries already have an exploit for this vulnerability?
Sadly quite likely, both because it was pretty trivial to find (a low hanging fruit if you will) and because once the fixed version is available, it's pretty trivial to check what changed and spot the vulnerability. Please upgrade your firmware now.

Why wasn't this vulnerability reported via NETGEAR's BugCrowd bug bounty program?
NETGEAR's BugCrowd bug bounty rules require the reported to never disclose any details of the vulnerability – even after it's fixed. To put it in a different way, it gives the vendor the opportunity to just pay the bounty and then delay fixing the vulnerability for months (or even years), with the researcher not being able to warn the defensive community or suggest workarounds.
Given the above, I do not agree with the terms and conditions of NETGEAR program on BugCrowd as it deviates from best industry practices. As such, the report was shared with NETGEAR under the industry standard 90-day policy.
If you're interested in this topic, see also this tweet and this article by J.M. Porup.


文章来源: http://feedproxy.google.com/~r/GynvaelColdwindEN/~3/RZxptJNQP7A/
如有侵权请联系:admin#unsafe.sh