Netgear’s ProSafe Network Management System suffers from two vulnerabilities, an arbitrary file upload and a path traversal, which could let a remote attacker execute code and download files.
The problems affect the NMS300 product, a web-based system the company manufactures to help users monitor and manage SNMP networked devices. The utility connects to wireless access points, switches, routers, and so on, via the web.
Pedro Ribeiro, a researcher with the London-based firm Agile Information Security dug up the vulnerabilities and worked with CERT/CC to disclose them this week. According to both Ribeiro and CERT, as far as they know there are no fixes to mitigate the issues.
Since CERT’s advisory already disclosed the vulnerabilities, Ribeiro decided to release two Metasploit modules, along with detailed information on the vulnerabilities on Tuesday.
The first issue stems from the fact that in default installations NMS300 has two Java servlets. Unauthenticated users can access these servlets, Ribeiro claims, and if an attacker sent a POST request to them, they could upload files which could then be accessed via the system’s server root directory. This allows an unauthenticated attacker to execute Java code as the SYSTEM user, Ribeiro warns.
With the second issue, the directory traversal vulnerability, an attacker could manipulate the parameter of a POST request to load an arbitrary file, and then download it.
Officials at the company did not immediately respond to a request for comment on Thursday.
The problems affect version 1.5.0.11 and earlier in particular, Ribeiro claims. Both he and CERT/CC are unaware of a workaround and insist there’s not a fix currently available. As a precaution Ribeiro is simply warning users not to expose NMS300 to the internet, or any untrusted networks.
CERT/CC is encouraging users to restrict untrusted sources from accessing the web management interface until a fix is pushed.