A vulnerability in Netgear-branded ethernet switches could give an attacker full access to the hardware, including the ability to log into the device and execute arbitrary code.
Netgear’s GS108PE Prosafe Plus switches running version 18.104.22.168 are at risk, according to an analyst at CERT/CC’s Vulnerability Notes Database who warned about the issue late last week. The switches contain hard-coded log-in credentials that could make it easy for a remote unauthenticated hacker to log in to the firmware.
The default credentials can be used to authenticate any web server running on the device and give an attacker a multitude of access exploits, according to Chris King, a vulnerability analyst at CERT/CC.
Attackers can modify the device’s serial number and media access control address (MAC address) and set memory to a certain value and extract that value. Through the vulnerability attackers are also given the ability to upload new firmware via the bootcode_update common gateway interface.
While this particular vulnerability was dug up by Marc Olivier Chouinard, a programmer with the Canadian telecommunication firm MocTel, it may be a longstanding issue. According to a FAQ on Netgear.com from 2010, many of Netgear’s devices, including the GS108PE’s, used to have a default password.
A study conducted last summer found thousands of devices hooked up to the internet that use default login credentials, consequently making them vulnerable to any attackers willing to sniff them out.
Plug-and-play ethernet switches such as Netgear’s are used largely by small- and medium-sized businesses to loop network traffic, VoIP phones, and cameras through to their main infrastructure.
The security of devices such as the GS108PE switches, especially those in the networking, telecom and critical infrastructure realm, remains a large issue as there are many types of malware that seek out firmware running with default logins and passwords.
For the time being there doesn’t appear to be a workaround for the Netgear issue. CERT/CC pointed out that it was unaware of a practical solution to the problem when it warned about it last Thursday and email requests for comment to Netgear were not immediately replied to on Monday.