Netgear has released a swathe of security and firmware updates for its JGS516PE Ethernet switch after researchers from NCC Group discovered 15 vulnerabilities in the device – including an unauthenticated remote code execution flaw.
The switch is vulnerable to nine high-severity vulns and a further five medium-rated ones, said NCC Group IT security consultant Manuel Ginés Rodriquez in a damning blog post about his findings.
The critical vuln, an RCE (CVE-2020-26919), came about because firmware versions prior to 18.104.22.168 "failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges."
Rodriguez wrote that from the router's default login.html page "every section... could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument." Ordinary low-privileged users could therefore execute system commands.
This opens the door for a malicious person to hijack your switch, perhaps installing malware on it to silently man-in-the-middle your internet connection. Small wonder NCC gave it a CVSSv3 score of 9.8, almost at the highest severity of 10.0.
On top of that was an active-by-default TFTP server running on the device which permitted the upload and execution of unsigned firmware updates, allowing anyone at all to upload potentially malicious updates to the switch even if they weren't aware of the RCE vuln (CVE-2020-35220).
If you own one of these 45 Netgear devices, replace it: Kit maker won't patch vulnerable gear despite live proof-of-concept codeREAD MORE
"The uploaded file is being written directly into the image partition, overwriting the previous information before being validated," noted Rodriguez.
Netgear did not respond to a request for comment. The company has form for its product lines containing multiple severe vulnerabilities, as The Register found last year when Netgear decided it wouldn't update the firmware for a swathe of vulnerable small office/home office routers – even though researchers had published live proof-of-concept code for exploits targeting the 40 devices.
In the company's defence it has published firmware updates for the JGS516PE switch on its website. The current version is 22.214.171.124.
The firm, whose good reputation has taken a bit of a bashing in recent years, also came under fire from customers last year after they discovered that its latest managed switches do not offer access to the full user interface unless you register them through the Netgear Cloud. ®