"Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation"

Security researchers at Flashpoint have discovered that vulnerabilities in Netgear's NMS300 ProSAFE network management system allow attackers to retrieve cleartext credentials and escalate privileges.  The tool provides users with a web-based interface for network device management.  It uses TCP port 8080 for communication and supports administrator accounts and lower-privileged operator and observer account roles.  The researchers noted that a user with an observer account could only view and monitor network functions, but the issues identified in the product allow an attacker to gain administrative access to devices, starting from this low-privileged role.  Netgear NMS300 allows administrators to manage user accounts from a "User management" tab, where an observer account can only view information about other users, such as username, account type, contact details, and more.  The researchers discovered that when the "User management" tab is accessed, the system sends two requests, one to initiate the page and another to retrieve user information to populate the page.  The first identified vulnerability exists because, with the second request, an SQL query is made in the background to retrieve database information, and the response contains every user account stored in the database.  The problem is that as everything stored in the database table is returned, this includes the cleartext passwords for every single account.  The researchers noted that by exploiting this vulnerability, an attacker with access to a low-privileged account could retrieve the credentials for administrator accounts and then log into the web-based management interface using those credentials, which would provide them with access to all managed devices.  The second issue exists because when a user with an observer account accesses the "User management" tab, the system performs insufficient checks to determine the permissions that the user has.  The researchers noted that because these checks "do not restrict the individual HTTP requests sent to the system," an attacker can bypass restrictions by sending crafted requests to change the password of an administrator account and then log in to the system using the modified credentials, gaining administrative access.

SecurityWeek reports: "Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation"