Vulnerability Name:

CVE-2016-1524 (CCN-110387)

Assigned:2016-02-03
Published:2016-02-03
Updated:2018-10-09
Summary:Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI.

CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS v3 Severity:9.6 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
9.0 Critical (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
9.2 Critical (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:8.3 High (CVSS v2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2016-1524

Source: CCN
Type: NETGEAR Web site
Management System NMS300

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/135618/Netgear-Pro-NMS-300-Code-Execution-File-Download.html

Source: FULLDISC
Type: UNKNOWN
20160204 [CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300

Source: CCN
Type: US-CERT VU#777024
Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#777024

Source: BUGTRAQ
Type: UNKNOWN
20160204 [CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300

Source: XF
Type: UNKNOWN
netgear-cve20161524-file-upload(110387)

Source: CCN
Type: Packet Storm Security [02-07-2016]
Netgear Pro NMS 300 Code Execution / File Download

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-04-2016]

Source: EXPLOIT-DB
Type: UNKNOWN
39412

Vulnerable Configuration:Configuration 1:
  • cpe:/a:netgear:prosafe_network_management_software_300:*:*:*:*:*:*:*:* (Version <= 1.5.0.11)

    • * Denotes that component is vulnerable
    BACK
    netgear prosafe network management software 300 *