Netgear has published patches for 20 of its managed smart switches to fix three vulnerabilities that can lead to the switch being taken over by an attacker potentially giving them control over your network.
With names like Demons Cries, Draconian Fear and Seventh Inferno, the vulnerabilities were addressed in patches released by Netgear on 3rd September and technical details of two of the vulnerabilities have been published (with the remaining to be published after 13th September) and Netgear “strongly recommends that you download the latest firmware as soon as possible.”
According to the security advisory from Netgear, the vulnerabilities affect these devices:
GS108Tv3, GS110TPP, GS110TPv3, GS110TUP
GS710TUP, GS716TP, GS716TPP
GS724TPP, GS724TPv2, GS728TPPv2, GS728TPv2
GS750E, GS752TPP, GS752TPv2
CVE have not yet been issued, the vulnerabilities are tracked by Netgear’s own identifiers as: PSV-2021-0140, PSV-2021-0144, PSV-2021-0145.
The most serious vulnerability, dubbed Demons Cries by the researcher who discovered it, could allow an attacker who has access to the network where the switch is installed to send an unauthenticated request that changes the admin password of the device resulting in a full compromise of the device. Devices are vulnerable if the Netgear Smart Control Center has been enabled due to a flaw the authentication validation of the UDP protocol used to remotely manage the switches.
Network devices, often installed out of sight in comms cabinets and wiring closets, need to be patched regularly just like servers and desktop devices.