Details of VAR-201312-0126

ID

VAR-201312-0126

CVE

CVE-2013-4775

TITLE

plural NETGEAR ProSafe Vulnerability to read encrypted administrator authentication information in switch product firmware

Trust: 0.8

sources: JVNDB: JVNDB-2013-005621

DESCRIPTION

NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier; GS748Tv4 with firmware 5.4.1.14; GS510TP with firmware 5.4.0.6; GS752TPS, GS728TPS, GS728TS, and GS725TS with firmware 5.3.0.17; and GS752TXS and GS728TXS with firmware 6.1.0.12 allows remote attackers to read encrypted administrator credentials and other startup configurations via a direct request to filesystem/startup-config. NetGear ProSafe is a smart switch product that monitors and configures the network. An information disclosure vulnerability exists in multiple NetGear ProSafe switches. An attacker can exploit a vulnerability to download a configuration file and reveal sensitive information. The information obtained may be helpful for further attacks. 1. BACKGROUND According to the vendor, Netgear ProSafe is a cost-effective line of smart switches for Small and Medium Businesses (SMBs). The products cover an essential set of network features and easy-to-use web-based management. Power over Ethernet (PoE) and Stacking versions are also available. 2. CVE-2013-4776: Denial of Service vulnerability. 3. AFFECTED PRODUCTS AND SOFTWARE CVE-2013-4775 GS724Tv3 and GS716Tv2 - firmware 5.4.1.13 GS724Tv3 and GS716Tv2 - firmware 5.4.1.10 GS748Tv4 - firmware 5.4.1.14 GS510TP - firmware 5.4.0.6 GS752TPS and GS728TPS - firmware 5.3.0.17 GS728TS and GS725TS - firmware 5.3.0.17 GS752TXS and GS728TXS - firmware 6.1.0.12 CVE-2013-4776 GS724Tv3 and GS716Tv2 - firmware 5.4.1.13 GS724Tv3 and GS716Tv2 - firmware 5.4.1.10 GS748Tv4 - firmware 5.4.1.14 GS510TP - firmware 5.0.4.4 4. VULNERABILITIES The list below describes the vulnerabilities discovered in the affected software. 4.1 CVE-2013-4775: Unauthenticated startup-config disclosure The web management application fails to restrict URL access to different application areas. [Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/startup-config 4.2 CVE-2013-4776: Denial of Service vulnerability The affected products are prone to a Denial of Service vulnerability. Remote, unauthenticated attackers could exploit this issue to cause a switch reboot or crash, resulting in a loss of network connectivity for all devices connected to the switch. [Proof of Concept] The vulnerability can be exploited with a simple HTTP (GET) request. Open a browser and visit http://Target-IP/filesystem/ Implementation of a Proof of Concept for both vulnerabilities can be found here: http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz 5. REMEDIATION No firmware updates or fixes have been released yet. As a mitigation, the vendor recommends configuring a separate management VLAN and configure access control via \x93Security::Access::Access Control\x94 or \x93Security::ACL::Advanced::IP Extended Rules\x94. 6. CREDIT The vulnerabilities were originally discovered in a GS724Tv3 device, by Juan J. G\xfcelfo at Encripto AS. E-mail: post [at] encripto [dot] no Web: http://www.encripto.no Special thanks to Maarten Hoogcarspel and the Netgear Support Team for verifying other switch models, and considering possible fixes. For more information about Encripto\x92s research policy, please visit http://www.encripto.no/forskning/ 7. REFERENCES http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_aug_2013.pdf http://www.encripto.no/tools/netgear-prosafe-PoC.tar.gz DISCLAIMER The material presented in this document is for educational purposes only. Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material. The reader is the only one responsible for applying this knowledge, which is at his / her own risk. Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners

Trust: 2.61

sources: NVD: CVE-2013-4775 // JVNDB: JVNDB-2013-005621 // CNVD: CNVD-2013-12586 // BID: 61918 // VULHUB: VHN-64777 // PACKETSTORM: 122904

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-12586

AFFECTED PRODUCTS

vendor:	netgear	model:	prosafe	scope:	eq	version:	5.3.0.17	Trust: 1.6
vendor:	netgear	model:	prosafe	scope:	eq	version:	5.4.1.10	Trust: 1.6
vendor:	netgear	model:	prosafe	scope:	eq	version:	6.1.0.12	Trust: 1.6
vendor:	netgear	model:	prosafe	scope:	eq	version:	5.0.4.4	Trust: 1.6
vendor:	netgear	model:	prosafe	scope:	eq	version:	5.4.0.6	Trust: 1.6
vendor:	netgear	model:	prosafe	scope:	eq	version:	5.4.1.13	Trust: 1.6
vendor:	netgear	model:	prosafe gs748t	scope:	eq	version:	v4	Trust: 1.0
vendor:	netgear	model:	prosafe gs510tp	scope:	eq	version:	-	Trust: 1.0
vendor:	netgear	model:	prosafe gs728tps	scope:	eq	version:	-	Trust: 1.0
vendor:	netgear	model:	prosafe	scope:	lte	version:	5.4.1.13	Trust: 1.0
vendor:	netgear	model:	prosafe gs724t	scope:	eq	version:	v3	Trust: 1.0
vendor:	netgear	model:	prosafe gs728ts	scope:	eq	version:	-	Trust: 1.0
vendor:	netgear	model:	prosafe s716t	scope:	eq	version:	v2	Trust: 1.0
vendor:	netgear	model:	prosafe gs728txs	scope:	eq	version:	-	Trust: 1.0
vendor:	netgear	model:	prosafe gs725ts	scope:	eq	version:	-	Trust: 1.0
vendor:	netgear	model:	prosafe gs752txs	scope:	eq	version:	-	Trust: 1.0
vendor:	netgear	model:	prosafe	scope:	lte	version:	5.4.1.14	Trust: 1.0
vendor:	netgear	model:	prosafe gs752tps	scope:	eq	version:	-	Trust: 1.0
vendor:	net gear	model:	gs510tp	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	gs716t	scope:	eq	version:	v2	Trust: 0.8
vendor:	net gear	model:	gs724t	scope:	eq	version:	v3	Trust: 0.8
vendor:	net gear	model:	gs725ts	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	gs728tps	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	gs728ts	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	gs728txs	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	gs748t	scope:	eq	version:	v4	Trust: 0.8
vendor:	net gear	model:	gs752tps	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	gs752txs	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	5.3.0.17 (gs725ts)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	5.3.0.17 (gs728tps)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	5.3.0.17 (gs728ts)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	5.3.0.17 (gs752tps)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	5.4.0.6 (gs510tp)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	lte	version:	5.4.1.13 (gs716t v2)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	lte	version:	5.4.1.13 (gs724t v3)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	lte	version:	5.4.1.14 (gs748t v4)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	6.1.0.12 (gs728txs)	Trust: 0.8
vendor:	net gear	model:	prosafe	scope:	eq	version:	6.1.0.12 (gs752txs)	Trust: 0.8
vendor:	netgear	model:	prosafe switches	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2013-12586 // JVNDB: JVNDB-2013-005621 // CNNVD: CNNVD-201312-396 // NVD: CVE-2013-4775

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4775
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-4775
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2013-12586
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201312-396
value:	HIGH
Trust: 0.6
VULHUB:	VHN-64777
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-4775
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-12586
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-64777
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-12586 // VULHUB: VHN-64777 // JVNDB: JVNDB-2013-005621 // CNNVD: CNNVD-201312-396 // NVD: CVE-2013-4775

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-64777 // JVNDB: JVNDB-2013-005621 // NVD: CVE-2013-4775

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201312-396

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201312-396

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005621

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-64777

PATCH

title:

スイッチ製品

url:

http://www.netgear.jp/products/business/switch

Trust: 0.8

sources: JVNDB: JVNDB-2013-005621

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4775	Trust: 3.6
db:	BID	id:	61918	Trust: 1.0
db:	JVNDB	id:	JVNDB-2013-005621	Trust: 0.8
db:	CNNVD	id:	CNNVD-201312-396	Trust: 0.7
db:	CNVD	id:	CNVD-2013-12586	Trust: 0.6
db:	PACKETSTORM	id:	122904	Trust: 0.2
db:	PACKETSTORM	id:	122905	Trust: 0.2
db:	SEEBUG	id:	SSVID-81366	Trust: 0.1
db:	EXPLOIT-DB	id:	27774	Trust: 0.1
db:	VULHUB	id:	VHN-64777	Trust: 0.1

sources: CNVD: CNVD-2013-12586 // VULHUB: VHN-64777 // BID: 61918 // JVNDB: JVNDB-2013-005621 // PACKETSTORM: 122905 // PACKETSTORM: 122904 // CNNVD: CNNVD-201312-396 // NVD: CVE-2013-4775

REFERENCES

url:	http://www.encripto.no/forskning/whitepapers/netgear_prosafe_advisory_aug_2013.pdf	Trust: 2.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4775	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4775	Trust: 0.8
url:	http://www.securityfocus.com/bid/61918	Trust: 0.6
url:	http://www.netgear.com	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4775	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4776	Trust: 0.2
url:	http://target-ip/filesystem/startup-config	Trust: 0.1
url:	http://target-ip/filesystem/	Trust: 0.1
url:	http://www.encripto.no/tools/netgear-prosafe-poc.tar.gz	Trust: 0.1
url:	http://www.encripto.no	Trust: 0.1
url:	http://www.encripto.no/forskning/	Trust: 0.1

CREDITS

Juan J. Güelfo at Encripto AS

Trust: 0.3

sources: BID: 61918

SOURCES

db:	CNVD	id:	CNVD-2013-12586
db:	VULHUB	id:	VHN-64777
db:	BID	id:	61918
db:	JVNDB	id:	JVNDB-2013-005621
db:	PACKETSTORM	id:	122905
db:	PACKETSTORM	id:	122904
db:	CNNVD	id:	CNNVD-201312-396
db:	NVD	id:	CVE-2013-4775

LAST UPDATE DATE

2025-04-11T23:11:58.620000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-12586	date:	2013-08-27T00:00:00
db:	VULHUB	id:	VHN-64777	date:	2013-12-19T00:00:00
db:	BID	id:	61918	date:	2013-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2013-005621	date:	2013-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201312-396	date:	2014-01-02T00:00:00
db:	NVD	id:	CVE-2013-4775	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-12586	date:	2013-08-27T00:00:00
db:	VULHUB	id:	VHN-64777	date:	2013-12-19T00:00:00
db:	BID	id:	61918	date:	2013-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2013-005621	date:	2013-12-20T00:00:00
db:	PACKETSTORM	id:	122905	date:	2013-08-22T02:13:52
db:	PACKETSTORM	id:	122904	date:	2013-08-22T02:11:50
db:	CNNVD	id:	CNNVD-201312-396	date:	2013-12-24T00:00:00
db:	NVD	id:	CVE-2013-4775	date:	2013-12-19T04:24:48.493