Flashpoint Discloses Details Of A Vulnerability With Netgear’s NMS300 ProSAFE Network Management System

Flashpoint has published research that details a vulnerability in Netgear’s NMS300 ProSAFE Network Management System. Here’s what Flashpoint found:

NETGEAR NMS300 ProSAFE Network Management System provides a web-based management interface for managing devices on the network. By default, the interface listens on port 8080/tcp. Apart from a standard ‘Admin’ role account the interface offers two additional lesser privileged account roles: ‘Operator’ and ‘Observer’. For our analysis, we focused on the least privileged account i.e. ‘Observer’ that per the user manual “can only monitor and view enterprise network functions.”

During analysis, we found various issues with the product. Most notable are the following two vulnerabilities along with the product’s use of old third-party components with publicly known vulnerabilities.

The web-based management interface provides a “User Management” tab for managing user accounts. Users with the “Observer” privilege have access to this tab but can only view information about users i.e. whether the account is active, user name, account type, and various contact details like email address, name, and phone number.

When a user accesses the “User Management” tab two requests are sent. First, a request is sent to initialise the page. Second, another request is sent to populate the page with the user information. The second request is of interest with regard to this vulnerability.

Behind the scenes, a SQL query is made to the MySQL database to retrieve all information stored in the database table containing user details. This is then returned in a JSON response and inserted in the relevant columns on the page. The problem is that as everything stored in the database table is returned, this includes the cleartext passwords for every single account. While this information is not displayed on the page to the user, it can be obtained by simply viewing the JSON data in the HTTP response.

This of course isn’t good. And what is worse, Netgear has no fix for this. And Flashpoint’s recommendation is for Netgear to EOL the product as the Flashpoint team found other issues with this product that should cause concern among anyone using it.

You can read the research here.

Leave a Reply

%d bloggers like this: