Hardcoded Netgear Prosafe Switch Password
Update: Cert.org corrected it's advisory. The GS105PE is affected, not the GS108PE as indicated earlier. The NVD CVE entry still lists the old model number [2].
Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.
Sadly, at this point there doesn't appear to be a solution to the problem, other then returning the switch to the store and buying another one if you can.
CVE Number: CVE-2014-2969 [2]
[1] http://www.kb.cert.org/vuls/id/143740
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2969
Comments
Anonymous
Jul 8th 2014
1 decade ago
> http://www.netgear.com/business/products/switches/unmanaged-plus/GS108PE.aspx#tab-techspecs
... maybe this is it:
> http://support.netgear.com/product/GS108Ev2
.
Anonymous
Jul 8th 2014
1 decade ago
- http://www.netgear.com/business/products/switches/unmanaged-plus/GS105PE.aspx#tab-techspecs
.
- http://support.netgear.com/product/GS105PE
Firmware updt TBD...
.
Anonymous
Jul 8th 2014
1 decade ago
GS105E_V1.02.04.zip
GS105Ev2_V1.2.0.5.zip
GS105PE_V1.2.0.5.zip
GS108EV2_V1.00.12.zip
GS108PEV2_V1.00.12.zip
Only GS105Ev2 and GS105PE contain the web based credentials ntgruser + debugpassword (firmwares for the other switches do not seem to support web based management).
However, *all* Netgear ProSafe Plus switches can be managed using the "ProSafe Plus Switch Utility" (latest version v2.2.36), which is available for Windows only.
As can be read in http://www.linux-magazin.de/Ausgaben/2012/10/Switch (in German), communication between this utility and switch is unencrypted. The utility uses ethernet and IP broadcasts to communicate with the switch, and the switch answers also using broadcasts (this permits configuring regardless of IP-settings, beneficial for inexperienced home users). Older versions of the management software and firmware would send a plain text password for changing settings, while no password is required at all to read settings from the switch.
http://kb.netgear.com/app/answers/detail/a_id/22202/~/prosafe-plus-configuration-utility-v2.2.24 informs us that password encryption is supported since v2.2.24 (this also requires a firmware update on the switch).
Unfortunately, as http://www.linux-magazin.de/Blogs/Insecurity-Bulletin/Gastbeitrag-Security-by-Obscurity-bei-Netgear-Switches points out, the password is not really encrypted but XOR obfuscated using a fixed string "NtgrSmartSwitchRock" (which is present in all firmwares mentioned above). The author, Konstantin Agouros, used version 2.2.26 of the utility and a GS105E with firmware V1.02.04. According to the article still no password was required to read switch settings, and broadcasts were still used in both communication directions.
Note: Googling for "NtgrSmartSwitchRock" yields software for managing Prosafe Plus switches from Linux.
Anonymous
Jul 8th 2014
1 decade ago