NETGEAR Patches Vulnerability
Thursday, September 10, 2015 @ 04:09 PM gHale
NETGEAR released a firmware update to address a hole in its WMS5316 ProSafe 16AP Wireless Management System.
Exploiting the vulnerability could result in authentication bypass and privilege escalation.
Elliott Lewis of Reinforce Services discovered the hole in April, who disclosed it with the vendor.
The vulnerability affects all WMS5316 ProSafe 16AP Wireless Management System devices running firmware version 22.214.171.124 (Build 1236), but there is a possibility other firmware releases could also suffer from the issue. Firmware version 2.1.5 includes a fix for the flaw.
NETGEAR confirmed it discovered the vulnerability in other products as well, but did not offer more details on the matter.
The process of exploiting the flaw to bypass the authentication process and escalate privileges is a rather simple one, given it only requires an attacker to include the “&” symbol anywhere in the password value in the login request.
It appears the system automatically accepts the provided credentials and offers access to the Graphical User Interface, although the account would appear restricted. The attacker can then send a request to add a new administrative user, which is then available for use.
This is not the only way the products can end up exploited, the researcher said. An attacker can also “modify the Java code on its way down to a browser to enable all of the admin functions rather than creating a new user.”
This method of bypassing the authentication process also works, which means bad guys do not necessarily need to create a new users to gain access to the affected Wireless Management System. Lewis said the bypass “user” gains full admin access if needed and there are few indicators of compromise.
On its support website, NETGEAR said the newly released firmware version 2.1.5 offers a fix for a “security vulnerability where unauthenticated login possible and gain full admin access,” and another for a “security vulnerability where authentication can be bypassed and unauthenticated OS command can be injected.”
Owners of WMS5316 ProSafe 16AP Wireless Management System devices should update them to the latest software version.