Update: Cert.org corrected it's advisory. The GS105PE is affected, not the GS108PE as indicated earlier. The NVD CVE entry still lists the old model number [2]. Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable. Sadly, at this point there doesn't appear to be a solution to the problem, other then returning the switch to the store and buying another one if you can. CVE Number: CVE-2014-2969 [2]
[1] http://www.kb.cert.org/vuls/id/143740 --- |
Johannes 4475 Posts ISC Handler Jul 8th 2014 |
Thread locked Subscribe |
Jul 8th 2014 7 years ago |
Just another case where calling something "Pro" or "Safe" does not make it so.
|
Alan 57 Posts |
Quote |
Jul 8th 2014 7 years ago |
Interesting....
> http://www.netgear.com/business/products/switches/unmanaged-plus/GS108PE.aspx#tab-techspecs ... maybe this is it: > http://support.netgear.com/product/GS108Ev2 . |
PC.Tech 34 Posts |
Quote |
Jul 8th 2014 7 years ago |
... With corrected model number:
- http://www.netgear.com/business/products/switches/unmanaged-plus/GS105PE.aspx#tab-techspecs . - http://support.netgear.com/product/GS105PE Firmware updt TBD... . |
PC.Tech 34 Posts |
Quote |
Jul 8th 2014 7 years ago |
I looked at the latest firmware for 5 and 8 port Netgear Prosafe Plus switches (the first part of the file name is the switch type):
GS105E_V1.02.04.zip GS105Ev2_V1.2.0.5.zip GS105PE_V1.2.0.5.zip GS108EV2_V1.00.12.zip GS108PEV2_V1.00.12.zip Only GS105Ev2 and GS105PE contain the web based credentials ntgruser + debugpassword (firmwares for the other switches do not seem to support web based management). However, *all* Netgear ProSafe Plus switches can be managed using the "ProSafe Plus Switch Utility" (latest version v2.2.36), which is available for Windows only. As can be read in http://www.linux-magazin.de/Ausgaben/2012/10/Switch (in German), communication between this utility and switch is unencrypted. The utility uses ethernet and IP broadcasts to communicate with the switch, and the switch answers also using broadcasts (this permits configuring regardless of IP-settings, beneficial for inexperienced home users). Older versions of the management software and firmware would send a plain text password for changing settings, while no password is required at all to read settings from the switch. http://kb.netgear.com/app/answers/detail/a_id/22202/~/prosafe-plus-configuration-utility-v2.2.24 informs us that password encryption is supported since v2.2.24 (this also requires a firmware update on the switch). Unfortunately, as http://www.linux-magazin.de/Blogs/Insecurity-Bulletin/Gastbeitrag-Security-by-Obscurity-bei-Netgear-Switches points out, the password is not really encrypted but XOR obfuscated using a fixed string "NtgrSmartSwitchRock" (which is present in all firmwares mentioned above). The author, Konstantin Agouros, used version 2.2.26 of the utility and a GS105E with firmware V1.02.04. According to the article still no password was required to read switch settings, and broadcasts were still used in both communication directions. Note: Googling for "NtgrSmartSwitchRock" yields software for managing Prosafe Plus switches from Linux. |
Erik van Straten 129 Posts |
Quote |
Jul 8th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!