Hardcoded Netgear Prosafe Switch Password

Published: 2014-07-08
Last Updated: 2014-07-08 15:23:30 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Update: Cert.org corrected it's advisory. The GS105PE is affected, not the GS108PE as indicated earlier. The NVD CVE entry still lists the old model number [2]. 

Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.

Sadly, at this point there doesn't appear to be a solution to the problem, other then returning the switch to the store and buying another one if you can.

CVE Number: CVE-2014-2969 [2]

 

[1] http://www.kb.cert.org/vuls/id/143740
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2969

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

4 comment(s)

Comments

Just another case where calling something "Pro" or "Safe" does not make it so.
Interesting....
> http://www.netgear.com/business/products/switches/unmanaged-plus/GS108PE.aspx#tab-techspecs
... maybe this is it:
> http://support.netgear.com/product/GS108Ev2
.
... With corrected model number:
- http://www.netgear.com/business/products/switches/unmanaged-plus/GS105PE.aspx#tab-techspecs
.
- http://support.netgear.com/product/GS105PE

Firmware updt TBD...
.
I looked at the latest firmware for 5 and 8 port Netgear Prosafe Plus switches (the first part of the file name is the switch type):

GS105E_V1.02.04.zip
GS105Ev2_V1.2.0.5.zip
GS105PE_V1.2.0.5.zip
GS108EV2_V1.00.12.zip
GS108PEV2_V1.00.12.zip

Only GS105Ev2 and GS105PE contain the web based credentials ntgruser + debugpassword (firmwares for the other switches do not seem to support web based management).

However, *all* Netgear ProSafe Plus switches can be managed using the "ProSafe Plus Switch Utility" (latest version v2.2.36), which is available for Windows only.

As can be read in http://www.linux-magazin.de/Ausgaben/2012/10/Switch (in German), communication between this utility and switch is unencrypted. The utility uses ethernet and IP broadcasts to communicate with the switch, and the switch answers also using broadcasts (this permits configuring regardless of IP-settings, beneficial for inexperienced home users). Older versions of the management software and firmware would send a plain text password for changing settings, while no password is required at all to read settings from the switch.

http://kb.netgear.com/app/answers/detail/a_id/22202/~/prosafe-plus-configuration-utility-v2.2.24 informs us that password encryption is supported since v2.2.24 (this also requires a firmware update on the switch).

Unfortunately, as http://www.linux-magazin.de/Blogs/Insecurity-Bulletin/Gastbeitrag-Security-by-Obscurity-bei-Netgear-Switches points out, the password is not really encrypted but XOR obfuscated using a fixed string "NtgrSmartSwitchRock" (which is present in all firmwares mentioned above). The author, Konstantin Agouros, used version 2.2.26 of the utility and a GS105E with firmware V1.02.04. According to the article still no password was required to read switch settings, and broadcasts were still used in both communication directions.

Note: Googling for "NtgrSmartSwitchRock" yields software for managing Prosafe Plus switches from Linux.

Diary Archives