Netgear has released security and firmware updates to address 15 vulnerabilities in its ProSAFE brand JGS516PE Ethernet switch. The company was under high pressure to fix these flaws, as they include an unauthenticated remote code execution (RCE) flaw which experts rate as critical.

Researchers at NCC Group IT discovered the threats. They found that the majority of the vulnerabilities affect the Netgear Switch Management Protocol (NSDP) protocol.

Vulnerabilities due to a faulty legacy app

The NSDP is a proprietary protocol that manages the switch configuration. The “Netgear Switch Discovery Tool” and “ProSafe Plus Configuration Utility” software use the NSDP.

Netgear decided to enable NSDP for legacy reasons, to allow existing customers to use ProSafe Plus. 

The 15 threats range in severity from Medium to Critical

The most severe flaw is a critical remote code execution flaw, which researchers track as CVE-2020-26919. Experts rate this CVE with a CVSS v3 score of 9.8. The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. The CVSS score ranges from 10 to 10, with anything over 9 deemed to be critical.

The remaining flaws are nine high-severity (7.0 – 8.9) issues and a five medium-rated bugs (4.0 – 6.9).

The CVE-2020-26919 resides in the switch internal management web application. It is present in firmware versions prior to 2.6.0.43. Hackers could exploit this CVE to bypass authentication and execute actions with administrator privileges.

The NCC researchers issued a written advisory about the CVE threat. “The switch internal management web application in firmware versions prior to 2.6.0.43 failed to correctly implement access controls in one of its endpoints, allowing unauthenticated attackers to bypass authentication and execute actions with administrator privileges,” they wrote.

Another vulnerability Netgear has addressed is an NSDP Authentication Bypass that they track as CVE-2020-35231 rated with CVSS v3 score of 8.8. Experts also found an Unauthenticated Firmware Update Mechanism tracked as CVE-2020-35220.

The NCC group discovered a TFTP server with the ability to update firmware that is active by default, it could allow external attackers to upload tainted firmware updates without requiring administrative credentials.

Netgear has now published firmware updates for the JGS516PE switch on their website. The latest version of the firmware available for download is 2.6.0.48.