Vulnerability Name:

CVE-2021-40866 (CCN-209137)

Assigned:2021-09-03
Published:2021-09-03
Updated:2022-01-04
Summary:Certain NETGEAR smart switches are affected by a remote admin password change by an unauthenticated attacker via the (disabled by default) /sqfs/bin/sccd daemon, which fails to check authentication when the authentication TLV is missing from a received NSDP packet. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS750E before 1.0.1.10, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:5.4 Medium (CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
8.3 High (CCN CVSS v2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-287
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-40866

Source: XF
Type: UNKNOWN
netgear-cve202140866-sec-bypass(209137)

Source: MISC
Type: Exploit, Third Party Advisory
https://gynvael.coldwind.pl/?id=740

Source: MISC
Type: Vendor Advisory
https://kb.netgear.com/000063978/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Smart-Switches-PSV-2021-0140-PSV-2021-0144-PSV-2021-0145

Source: CCN
Type: NETGEAR Security Advisory: PSV-2021-0140-PSV-2021-0144-PSV-2021-0145
Security Advisory for Multiple Vulnerabilities on Some Smart Switches

Vulnerable Configuration:Configuration 1:
  • cpe:/o:netgear:gc108p_firmware:*:*:*:*:*:*:*:* (Version < 1.0.8.2)
  • AND
  • cpe:/h:netgear:gc108p:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:netgear:gc108pp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.8.2)
  • AND
  • cpe:/h:netgear:gc108pp:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:netgear:gs108t_firmware:*:*:*:*:*:*:*:* (Version < 7.0.7.2)
  • AND
  • cpe:/h:netgear:gs108tv3:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:netgear:gs110tpp_firmware:*:*:*:*:*:*:*:* (Version < 7.0.7.2)
  • AND
  • cpe:/h:netgear:gs110tpp:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:netgear:gs110tp_firmware:*:*:*:*:*:*:*:* (Version < 7.0.7.2)
  • AND
  • cpe:/h:netgear:gs110tp:v3:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:netgear:gs110tup_firmware:*:*:*:*:*:*:*:* (Version < 1.0.5.3)
  • AND
  • cpe:/h:netgear:gs110tup:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:netgear:gs308t_firmware:*:*:*:*:*:*:*:* (Version < 1.0.3.2)
  • AND
  • cpe:/h:netgear:gs308t:-:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:netgear:gs310tp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.3.2)
  • AND
  • cpe:/h:netgear:gs310tp:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:netgear:gs710tup_firmware:*:*:*:*:*:*:*:* (Version < 1.0.5.3)
  • AND
  • cpe:/h:netgear:gs710tup:-:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:netgear:gs716tp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.4.2)
  • AND
  • cpe:/h:netgear:gs716tp:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:netgear:gs716tpp_firmware:*:*:*:*:*:*:*:* (Version < 1.0.4.2)
  • AND
  • cpe:/h:netgear:gs716tpp:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:netgear:gs724tpp_firmware:*:*:*:*:*:*:*:* (Version < 2.0.6.3)
  • AND
  • cpe:/h:netgear:gs724tpp:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/o:netgear:gs724tp_firmware:*:*:*:*:*:*:*:* (Version < 2.0.6.3)
  • AND
  • cpe:/h:netgear:gs724tp:v2:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:netgear:gs728tpp_firmware:*:*:*:*:*:*:*:* (Version < 6.0.8.2)
  • AND
  • cpe:/h:netgear:gs728tpp:v2:*:*:*:*:*:*:*

    • Configuration 15:
  • cpe:/o:netgear:gs728tp_firmware:*:*:*:*:*:*:*:* (Version < 6.0.8.2)
  • AND
  • cpe:/h:netgear:gs728tp:v2:*:*:*:*:*:*:*

    • Configuration 16:
  • cpe:/o:netgear:gs750e_firmware:*:*:*:*:*:*:*:* (Version < 1.0.1.10)
  • AND
  • cpe:/h:netgear:gs750e:-:*:*:*:*:*:*:*

    • Configuration 17:
  • cpe:/o:netgear:gs752tpp_firmware:*:*:*:*:*:*:*:* (Version < 6.0.8.2)
  • AND
  • cpe:/h:netgear:gs752tpp:-:*:*:*:*:*:*:*

    • Configuration 18:
  • cpe:/o:netgear:gs752tp_firmware:*:*:*:*:*:*:*:* (Version < 6.0.8.2)
  • AND
  • cpe:/h:netgear:gs752tp:v2:*:*:*:*:*:*:*

    • Configuration 19:
  • cpe:/o:netgear:ms510txm_firmware:*:*:*:*:*:*:*:* (Version < 1.0.4.2)
  • AND
  • cpe:/h:netgear:ms510txm:-:*:*:*:*:*:*:*

    • Configuration 20:
  • cpe:/o:netgear:ms510txup_firmware:*:*:*:*:*:*:*:* (Version < 1.0.4.2)
  • AND
  • cpe:/h:netgear:ms510txup:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/h:netgear:gc108p:-:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gc108pp:-:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs110tpp:v1:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs110tp:v3:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs110tup:v1:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs728tp:v2:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs752tp:v2:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:ms510txm:-:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:ms510txup:-:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs110tup:v1:*:*:*:*:*:*:*
  • OR cpe:/h:netgear:gs750e:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    netgear gc108p firmware *
    netgear gc108p -
    netgear gc108pp firmware *
    netgear gc108pp -
    netgear gs108t firmware *
    netgear gs108tv3 -
    netgear gs110tpp firmware *
    netgear gs110tpp -
    netgear gs110tp firmware *
    netgear gs110tp v3
    netgear gs110tup firmware *
    netgear gs110tup -
    netgear gs308t firmware *
    netgear gs308t -
    netgear gs310tp firmware *
    netgear gs310tp -
    netgear gs710tup firmware *
    netgear gs710tup -
    netgear gs716tp firmware *
    netgear gs716tp -
    netgear gs716tpp firmware *
    netgear gs716tpp -
    netgear gs724tpp firmware *
    netgear gs724tpp -
    netgear gs724tp firmware *
    netgear gs724tp v2
    netgear gs728tpp firmware *
    netgear gs728tpp v2
    netgear gs728tp firmware *
    netgear gs728tp v2
    netgear gs750e firmware *
    netgear gs750e -
    netgear gs752tpp firmware *
    netgear gs752tpp -
    netgear gs752tp firmware *
    netgear gs752tp v2
    netgear ms510txm firmware *
    netgear ms510txm -
    netgear ms510txup firmware *
    netgear ms510txup -
    netgear gc108p -
    netgear gc108pp -
    netgear gs110tpp v1
    netgear gs110tp v3
    netgear gs110tup v1
    netgear gs728tp v2
    netgear gs752tp v2
    netgear ms510txm -
    netgear ms510txup -
    netgear gs110tup v1
    netgear gs750e -