Vulnerability Name:

CVE-2019-20676 (CCN-180840)

Assigned:2019-12-04
Published:2019-12-04
Updated:2020-04-23
Summary:Certain NETGEAR devices are affected by lack of access control at the function level. This affects FS728TLP before 1.0.1.26, GS105Ev2 before 1.6.0.4, GS105PE before 1.6.0.4, GS108Ev3 before 2.06.08, GS108PEv3 before 2.06.08, GS110EMX before 1.0.1.4, GS116Ev2 before 2.6.0.35, GS408EPP before 1.0.0.15, GS724TPv2 before 1.1.1.29, GS808E before 1.7.0.7, GS810EMX before 1.7.1.1, GS908E before 1.7.0.3, GSS108E before 1.6.0.4, GSS108EPP before 1.0.0.15, GSS116E before 1.6.0.9, JGS516PE before 2.6.0.35, JGS524Ev2 before 2.6.0.35, JGS524PE before 2.6.0.35, XS512EM before 1.0.1.1, XS708Ev2 before 1.6.0.23, XS716E before 1.6.0.23, and XS724EM before 1.0.1.1.
CVSS v3 Severity:6.0 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
6.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:3.6 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
6.2 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-862
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2019-20676

Source: XF
Type: UNKNOWN
netgear-cve201920676-sec-bypass(180840)

Source: CCN
Type: NETGEAR Article ID: 000061463
Security Advisory for Missing Function Level Access Control on Some Switches, PSV-2018-0542

Source: CONFIRM
Type: Vendor Advisory
https://kb.netgear.com/000061463/Security-Advisory-for-Missing-Function-Level-Access-Control-on-Some-Switches-PSV-2018-0542

Vulnerable Configuration:Configuration 1:
  • cpe:/o:netgear:fs728tlp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.1.26)
  • AND
  • cpe:/h:netgear:fs728tlp:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:netgear:gs105e_firmware:*:*:*:*:*:*:*:* (Version < 1.6.0.4)
  • AND
  • cpe:/h:netgear:gs105e:v2:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:netgear:gs105pe_firmware:*:*:*:*:*:*:*:* (Version < 1.6.0.4)
  • AND
  • cpe:/h:netgear:gs105pe:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:netgear:gs108e_firmware:*:*:*:*:*:*:*:* (Version < 2.06.08)
  • AND
  • cpe:/h:netgear:gs108e:v3:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:netgear:gs108pe_firmware:*:*:*:*:*:*:*:* (Version < 2.06.08)
  • AND
  • cpe:/h:netgear:gs108pe:v3:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:netgear:gs110emx_firmware:*:*:*:*:*:*:*:* (Version < 1.0.1.4)
  • AND
  • cpe:/h:netgear:gs110emx:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:netgear:gs116e_firmware:*:*:*:*:*:*:*:* (Version < 2.6.0.35)
  • AND
  • cpe:/h:netgear:gs116e:v2:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:netgear:gs408epp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.0.15)
  • AND
  • cpe:/h:netgear:gs408epp:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:netgear:gs724tp_firmware:*:*:*:*:*:*:*:* (Version < 1.1.1.29)
  • AND
  • cpe:/h:netgear:gs724tp:v2:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:netgear:gs808e_firmware:*:*:*:*:*:*:*:* (Version < 1.7.0.7)
  • AND
  • cpe:/h:netgear:gs808e:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:netgear:gs810emx_firmware:*:*:*:*:*:*:*:* (Version < 1.7.1.1)
  • AND
  • cpe:/h:netgear:gs810emx:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:netgear:gs908e_firmware:*:*:*:*:*:*:*:* (Version < 1.7.0.3)
  • AND
  • cpe:/h:netgear:gs908e:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/o:netgear:gss108e_firmware:*:*:*:*:*:*:*:* (Version < 1.6.0.4)
  • AND
  • cpe:/h:netgear:gss108e:-:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:netgear:gss108epp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.0.15)
  • AND
  • cpe:/h:netgear:gss108epp:-:*:*:*:*:*:*:*

    • Configuration 15:
  • cpe:/o:netgear:gss116e_firmware:*:*:*:*:*:*:*:* (Version < 1.6.0.9)
  • AND
  • cpe:/h:netgear:gss116e:-:*:*:*:*:*:*:*

    • Configuration 16:
  • cpe:/o:netgear:jgs516pe_firmware:*:*:*:*:*:*:*:* (Version < 2.6.0.35)
  • AND
  • cpe:/h:netgear:jgs516pe:-:*:*:*:*:*:*:*

    • Configuration 17:
  • cpe:/o:netgear:jgs524e_firmware:*:*:*:*:*:*:*:* (Version < 2.6.0.35)
  • AND
  • cpe:/h:netgear:jgs524e:v2:*:*:*:*:*:*:*

    • Configuration 18:
  • cpe:/o:netgear:jgs524pe_firmware:*:*:*:*:*:*:*:* (Version < 2.6.0.35)
  • AND
  • cpe:/h:netgear:jgs524pe:-:*:*:*:*:*:*:*

    • Configuration 19:
  • cpe:/o:netgear:xs512em_firmware:*:*:*:*:*:*:*:* (Version < 1.0.1.1)
  • AND
  • cpe:/h:netgear:xs512em:-:*:*:*:*:*:*:*

    • Configuration 20:
  • cpe:/o:netgear:xs708e_firmware:*:*:*:*:*:*:*:* (Version < 1.6.0.23)
  • AND
  • cpe:/h:netgear:xs708e:v2:*:*:*:*:*:*:*

    • Configuration 21:
  • cpe:/o:netgear:xs716e_firmware:*:*:*:*:*:*:*:* (Version < 1.6.0.23)
  • AND
  • cpe:/h:netgear:xs716e:-:*:*:*:*:*:*:*

    • Configuration 22:
  • cpe:/o:netgear:xs724em_firmware:*:*:*:*:*:*:*:* (Version < 1.0.1.1)
  • AND
  • cpe:/h:netgear:xs724em:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:netgear:jgs516pe_firmware:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs408epp_firmware:1.0.0.15:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs105pe_firmware:1.6.0.4:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gss108epp_firmware:1.0.0.15:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs908e_firmware:1.7.0.3:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs808e_firmware:1.7.0.7:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs105ev2_firmware:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gss108e_firmware:1.6.0.4:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:xs716e_firmware:1.6.0.23:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs116ev2_firmware:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs108pev3_firmware:2.06:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs108ev3_firmware:2.06:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs810emx_firmware:1.7.1.1:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:xs512em_firmware:1.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs110emx_firmware:1.0.1.4:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:xs708ev2_firmware:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gss116e_firmware:1.6.0.9:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:xs724em_firmware:1.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:jgs524pe_firmware:2.6.0.35:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:jgs524ev2_firmware:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:fs728tlp_firmware:1.0.1.26:*:*:*:*:*:*:*
  • OR cpe:/o:netgear:gs724tpv2_firmware:1.1.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    netgear fs728tlp firmware *
    netgear fs728tlp -
    netgear gs105e firmware *
    netgear gs105e v2
    netgear gs105pe firmware *
    netgear gs105pe -
    netgear gs108e firmware *
    netgear gs108e v3
    netgear gs108pe firmware *
    netgear gs108pe v3
    netgear gs110emx firmware *
    netgear gs110emx -
    netgear gs116e firmware *
    netgear gs116e v2
    netgear gs408epp firmware *
    netgear gs408epp -
    netgear gs724tp firmware *
    netgear gs724tp v2
    netgear gs808e firmware *
    netgear gs808e -
    netgear gs810emx firmware *
    netgear gs810emx -
    netgear gs908e firmware *
    netgear gs908e -
    netgear gss108e firmware *
    netgear gss108e -
    netgear gss108epp firmware *
    netgear gss108epp -
    netgear gss116e firmware *
    netgear gss116e -
    netgear jgs516pe firmware *
    netgear jgs516pe -
    netgear jgs524e firmware *
    netgear jgs524e v2
    netgear jgs524pe firmware *
    netgear jgs524pe -
    netgear xs512em firmware *
    netgear xs512em -
    netgear xs708e firmware *
    netgear xs708e v2
    netgear xs716e firmware *
    netgear xs716e -
    netgear xs724em firmware *
    netgear xs724em -
    netgear jgs516pe firmware 2.6.0
    netgear gs408epp firmware 1.0.0.15
    netgear gs105pe firmware 1.6.0.4
    netgear gss108epp firmware 1.0.0.15
    netgear gs908e firmware 1.7.0.3
    netgear gs808e firmware 1.7.0.7
    netgear gs105ev2 firmware 1.6.0
    netgear gss108e firmware 1.6.0.4
    netgear xs716e firmware 1.6.0.23
    netgear gs116ev2 firmware 2.6.0
    netgear gs108pev3 firmware 2.06
    netgear gs108ev3 firmware 2.06
    netgear gs810emx firmware 1.7.1.1
    netgear xs512em firmware 1.0.1.1
    netgear gs110emx firmware 1.0.1.4
    netgear xs708ev2 firmware 1.6.0
    netgear gss116e firmware 1.6.0.9
    netgear xs724em firmware 1.0.1.1
    netgear jgs524pe firmware 2.6.0.35
    netgear jgs524ev2 firmware 2.6.0
    netgear fs728tlp firmware 1.0.1.26
    netgear gs724tpv2 firmware 1.1.1