Cybersecurity firm Flashpoint has identified vulnerabilities in Netgear’s NMS300 ProSAFE network management system that can enable attackers to access cleartext credentials and escalate privileges. The tool is a web-based interface used for network device management and operates through TCP port 8080.
It provides administrator accounts and operator and observer account roles. An attacker with observer access can gain administrator access to devices via the vulnerabilities identified by Flashpoint.
The company discovered that when the “User management” tab is accessed, the system sends two requests, one to initiate the page and another to retrieve user information to populate the page.
By exploiting this vulnerability, an attacker with access to a low-privileged account can retrieve the credentials for administrator accounts and log in to the web-based management interface, providing them with access to all managed devices.
The second issue is due to insufficient checks to determine the permissions of a user accessing the “User management” tab. An attacker can bypass restrictions by sending crafted requests to change the password of an administrator account and then log in to the system using the modified credentials. Flashpoint has also identified known vulnerabilities in multiple third-party components used in the Netgear ProSAFE network management system, including older versions of MySQL Server, Apache Log4J, and Apache Tomcat.
Flashpoint has contacted Netgear’s support team to report the identified vulnerabilities, but the vendor failed to provide a viable security contact, directing the researchers to toll-free numbers to the business support team instead. Flashpoint recommends that customers consider not using this product in production environments or alternatively restrict any untrusted access to systems running the product.
