Netgear fixed authentication bypass vulnerabilities in its switchboards

Daniel ZimmermannSeptember 8, 2021

0 48 1 minute read

Network equipment manufacturer Netgear has patched three vulnerabilities in several of its switchboard models. Bugs allowed attackers to bypass authentication and completely take control of devices.

The vulnerabilities were codenamed Demon’s Cries, Draconian Fear and Seventh Inferno. They were found by a Polish cybersecurity researcher known as Gynvael Coldwind. The expert has already published a detailed description of the problems and PoC exploits for Demon’s Cries and Draconian Fear on his blog, and the details of the third bug, Seventh Inferno, will be released next Monday, on September 13th.

The most serious of the three problems is considered to be the Demon’s Cries vulnerability, which scored 9.8 out of 10 on the CVSS scale. This vulnerability can be exploited to bypass initial authentication and change the administrator account password on vulnerable switches.

Fortunately, not all switchboards are vulnerable, as the problem was found in the SCC Control web panel (NETGEAR Smart Control Center), which is disabled by default. However, if SCC Control is enabled, the error can lead to a “complete compromise of the device,” warns the researcher.

Initially, the expert tested the bug on Smart Managed Pro Switch Netgear GS110TPV3, but now the device manufacturer has confirmed that Demon’s Cries and Draconian Fear affect other devices, the list of which can be seen below.

GC108P (vulnerabilities fixed in firmware 1.0.8.2)
GC108PP (vulnerabilities fixed in firmware 1.0.8.2)
GS108Tv3 (vulnerabilities fixed in firmware 7.0.7.2)
GS110TPP (vulnerabilities fixed in firmware 7.0.7.2)
GS110TPv3 (vulnerabilities fixed in firmware 7.0.7.2)
GS110TUP (vulnerabilities fixed in firmware 1.0.5.3)
GS308T (vulnerabilities fixed in firmware 1.0.3.2)
GS310TP (vulnerabilities fixed in firmware 1.0.3.2)
GS710TUP (vulnerabilities fixed in firmware 1.0.5.3)
GS716TP (vulnerabilities fixed in firmware 1.0.4.2)
GS716TPP (vulnerabilities fixed in firmware 1.0.4.2)
GS724TPP (vulnerabilities fixed in firmware 2.0.6.3)
GS724TPv2 (vulnerabilities fixed in firmware 2.0.6.3)
GS728TPPv2 (vulnerabilities fixed in firmware 6.0.8.2)
GS728TPv2 (vulnerabilities fixed in firmware 6.0.8.2)
GS750E (vulnerabilities fixed in firmware 1.0.1.10)
GS752TPP (vulnerabilities fixed in firmware 6.0.8.2)
GS752TPv2 (vulnerabilities fixed in firmware 6.0.8.2)
MS510TXM (vulnerabilities are fixed in firmware 1.0.4.2)
MS510TXUP (vulnerabilities are fixed in firmware 1.0.4.2)

The Draconian Fear vulnerability can also be used to bypass authentication, but is considered less serious (7.8 on the CVVS scale). The fact is that this error can only be exploited to intercept the sessions of the logged in administrator and the attack must be carried out from the IP address of this administrator himself.

Let me remind you that we also talked about the fact that 79 Netgear router models contain critical vulnerability, and also that More than 40 Netgear routers will not receive RCE bug patches.

Sending