An authentication bypass in NSDP on the Netgear ProSafe GS105Ev2 gigabit switch is possible due to a password reset vulnerability.
NSDP is the proprietary Netgear Switch Discovery Protocol which manages and configures switches. The configuration is supposed to be password protected but a security researcher claims to have discovered that the authentication process can be bypassed if an attacker has access to the broadcast domain.
Benedikt Westermann, posting on Full Disclosure, gave it a CVSS score of 8.3 because of the authentication bypass. He said the vulnerability would enable an attacker to modify the configuration or flash another firmware to the switch.
NSDP is a stateless protocol. It is possible by sending a specially constructed packet to port 63322 at the IP of the switch to change the password to “test”.
The password portion of the packet has to be encrypted by XORing the password with the string “NtgrSmartSwitchRock” – if the password is longer than the secret, the secret is used again, Westermann said.
Following acknowledgement of a successful password reset, the attacker can access the configuration via /login.cgi or /loginhidden.cgi.
Westermann warned that the so-called encryption scheme for the password is broken: “The encryption string can easily be recovered by a simple XOR operation on a known password (NtgrSmartSwitchRock). Moreover, the Netgear Configuration Utility broadcasts the password to the network. Thus an attacker within the broadcast domain can eavesdrop and decode the password.”
He also said that the web interface appears to be vulnerable to XSS, CSRF and insufficient protection of the password.
Westermann said he notified Netgear in August 2015. Netgear confirmed the findings and a few weeks later informed him that there were no plans to fix the issues.
