Netgear Management System Exploits Release

Wednesday, February 10, 2016 @ 03:02 PM gHale

Exploits are available for Netgear’s ProSAFE NMS300 network management system.

The goal for Netgear’s ProSAFE NMS300 Management System is to make it easy for administrators to monitor and manage their networks from a web-based interface.

Microsoft Releases EMET 5.5
New Protection from Unwanted Applications
Edge Now Blocks Code Injection
Microsoft’s Security Updates

Agile Information Security researcher Pedro Ribeiro discovered the product suffers from a vulnerability that allows a remote, unauthenticated attacker to upload an arbitrary file to the system. The uploaded file is available in the server’s root directory at http://:8080/null and it gets executed with system privileges.

This remote code execution vulnerability is CVE-2016-1524 and has a CVSS score of 8.3. The hole can end up exploited by sending a specially crafted POST request to one of two Java servlets found in default NMS300 installations.

Another flaw identified by Ribeiro is a directory traversal (CVE-2016-1525) which allows an authenticated attacker to download any file from the system. The vulnerability can end up exploited by loading an arbitrary file from the server host to a predictable location in the web service from where it can be downloaded, according to the CERT Coordination Center at Carnegie Mellon University.

Ribeiro reported his findings to Netgear via CERT/CC in early December, however, the vendor has yet to release a patch. The expert has published Metasploit modules for the vulnerabilities.

Until a patch becomes available, users should ensure the web management interface of NMS300 is not exposed to the Internet or untrusted networks.

Netgear was not immediately available for comment.