Sign-up

ID

VAR-201704-0921


CVE

CVE-2017-2137


TITLE

NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-000055

DESCRIPTION

ProSAFE Plus Configuration Utility prior to 2.3.29 allows remote attackers to bypass access restriction and change configurations of the switch via SOAP requests. ProSAFE Plus Configuration Utility provided by NETGEAR is a Windows application to configure and manage NETGEAR's ProSAFE Plus and Click Switches. An operator uses the utility to login and configure NETGEAR switches. When the utility is invoked, it starts listening on a certain port for SOAP requests. The utility accepts connections from network, hence unintended operation may be conducted on the switches through the utility (CWE-284). Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. NetGearProSafe is a smart switch product that monitors and configures the network

Trust: 2.25

sources: NVD: CVE-2017-2137 // JVNDB: JVNDB-2017-000055 // CNVD: CNVD-2017-05116 // VULHUB: VHN-110340

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-05116

AFFECTED PRODUCTS

vendor:netgearmodel:prosafe plus configuration utilityscope:lteversion:2.3.28

Trust: 1.0

vendor:netgearmodel:prosafe plus configuration utilityscope:eqversion:prior to 2.3.29

Trust: 0.8

vendor:netgearmodel:prosafe plus configuration utilityscope:ltversion:2.3.29

Trust: 0.6

vendor:netgearmodel:prosafe plus configuration utilityscope:eqversion:2.3.28

Trust: 0.6

sources: CNVD: CNVD-2017-05116 // JVNDB: JVNDB-2017-000055 // CNNVD: CNNVD-201705-104 // NVD: CVE-2017-2137

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2137
value: LOW

Trust: 1.0

IPA: JVNDB-2017-000055
value: LOW

Trust: 0.8

CNVD: CNVD-2017-05116
value: LOW

Trust: 0.6

CNNVD: CNNVD-201705-104
value: LOW

Trust: 0.6

VULHUB: VHN-110340
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2137
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000055
severity: LOW
baseScore: 2.9
vectorString: AV:A/AC:M/AU:N/C:N/I:P/A:N
accessVector: ADJACENT NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-05116
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-110340
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2137
baseSeverity: LOW
baseScore: 3.7
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 1.4
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000055
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector: ADJACENT NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-05116 // VULHUB: VHN-110340 // JVNDB: JVNDB-2017-000055 // CNNVD: CNNVD-201705-104 // NVD: CVE-2017-2137

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-110340 // JVNDB: JVNDB-2017-000055 // NVD: CVE-2017-2137

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-104

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201705-104

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000055

PATCH
title:Security Advisory for Insecure SOAP Access in ProSAFE Plus Configuration Utility, PSV-2017-1997url:https://kb.netgear.com/000038443/Security-Advisory-for-Insecure-SOAP-Access-in-ProSAFE-Plus-Configuration-Utility-PSV-2017-1997?cid=wmt_netgear_organic
Trust: 0.8
title:NETGEARProSAFEPlusConfigurationUtility does not correctly access patches that control vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/92452
Trust: 0.6
title:NetGear ProSAFE Plus Configuration Utility Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69779
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-05116 // 
            
            
            
            JVNDB: JVNDB-2017-000055 // 
            
            
            
            CNNVD: CNNVD-201705-104

EXTERNAL IDS
db:NVDid:CVE-2017-2137
Trust: 3.1
db:JVNid:JVN08740778
Trust: 3.1
db:JVNDBid:JVNDB-2017-000055
Trust: 0.8
db:CNNVDid:CNNVD-201705-104
Trust: 0.7
db:CNVDid:CNVD-2017-05116
Trust: 0.6
db:VULHUBid:VHN-110340
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-05116 // 
            
            
            
            VULHUB: VHN-110340 // 
            
            
            
            JVNDB: JVNDB-2017-000055 // 
            
            
            
            CNNVD: CNNVD-201705-104 // 
            
            
            
            NVD: CVE-2017-2137

REFERENCES
url:http://jvn.jp/en/jp/jvn08740778/index.html
Trust: 2.5
url:https://kb.netgear.com/000038443/security-advisory-for-insecure-soap-access-in-prosafe-plus-configuration-utility-psv-2017-1997
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2137
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2137
Trust: 0.8
url:http://jvn.jp/en/jp/jvn08740778/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-05116 // 
            
            
            
            VULHUB: VHN-110340 // 
            
            
            
            JVNDB: JVNDB-2017-000055 // 
            
            
            
            CNNVD: CNNVD-201705-104 // 
            
            
            
            NVD: CVE-2017-2137

SOURCES
db:CNVDid:CNVD-2017-05116
db:VULHUBid:VHN-110340
db:JVNDBid:JVNDB-2017-000055
db:CNNVDid:CNNVD-201705-104
db:NVDid:CVE-2017-2137

LAST UPDATE DATE
2025-04-20T23:32:14.231000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-05116date:2017-04-23T00:00:00
db:VULHUBid:VHN-110340date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-000055date:2017-06-01T00:00:00
db:CNNVDid:CNNVD-201705-104date:2019-10-23T00:00:00
db:NVDid:CVE-2017-2137date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-05116date:2017-04-23T00:00:00
db:VULHUBid:VHN-110340date:2017-04-28T00:00:00
db:JVNDBid:JVNDB-2017-000055date:2017-04-18T00:00:00
db:CNNVDid:CNNVD-201705-104date:2017-04-28T00:00:00
db:NVDid:CVE-2017-2137date:2017-04-28T16:59:01.637