Netgear smart switches could have been hijacked by serious security flaws

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)

Cybersecurity experts found three vulnerabilities in over a dozen models of Netgear’s smart switches which could be exploited to take control of the vulnerable devices.

Discovered and reported by security researcher Gynvael Coldwind, Netgear has plugged all three vulnerabilities urging users of affected devices to apply the patches immediately.

Coldwind has published details as well as proof-of-concept (PoC) exploit code of two of the three vulnerabilities.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

According to BleepingComputer, while most of the twenty affected devices are smart switches, some of them include cloud management capabilities, and can be monitored and configured over the internet.

Device control

Although Netgear’s advisory doesn’t include any technical details about the bugs, Coldwind has been a lot more forthcoming.

Sharing details about the attack vectors of two of the vulnerabilities, Coldwind lists the scenarios in which affected devices can be exploited to hand over complete control to the attackers.

Interestingly, Coldwind believes that Netgear has been a little conservative in their severity score assessment of the vulnerabilities, particularly for one of them he’s dubbed Demon's Cries. While Netgear has rated it as highly severe with a score of 8.8, Coldwind believes it deserves a critical score of 9.8.

Exploiting the flaw reportedly requires that the Netgear Smart Control Center (SCC) feature is active, which it isn’t by default. 

Talking to BleepingComputer, Coldwind says that the second bug that he’s named Draconian Fear is “more interesting than dangerous” since it requires quite a bit of legwork.

He’ll share details about the third vulnerability at the start of next week, on September, 13, 2021.

Via BleepingComputer

TOPICS
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Cyber-security
Juniper Session Smart routers have a critical flaw, so patch now
China
Juniper patches security flaws which could have let hackers take over your router
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake