¡¾·ì϶¹«¸æ¡¿NetgearÖÇÄÜ»¥»»»ú9Ô¶à¸ö°²È«·ì϶

°ä²¼¹¦·ò 2021-09-07

0x00 ·ì϶¸ÅÊö

Netgear£¨ÃÀ¹úÍø¼þ¹«Ë¾£©ÊÇÈ«Çòµ±ÏȵÄÆóÒµÍøÂç½â¾ö¹æ»®ÌṩÉ̺ÍÊý×Ö¼ÒÍ¥ÍøÂçÀûÓÃÌᳫÕߣ¬ÎªÈ«ÇòÉÌÓÃÆóÒµÓû§ºÍ¼ÒÍ¥Ó×ÎÒÓû§ÌṩÇá±ãµÄ¸ßÖÊÁ¿ÍøÂç½â¾ö¹æ»®¡£Í¬Ê±£¬NetgearÒ²ÔÚΪȫÇò¶¥¼¶ÔËÓªÉÌÌṩÍøÂç²úÆ·£¬ÒÔÔ®ÊÖÔËÓªÉÌΪÆäÓû§¹¹½¨Êý×Ö¼ÒÍ¥¡£

2021Äê9ÔÂ3ÈÕ£¬Netgear°ä²¼°²È«²¼¸æ£¬½¨¸´ÁËÆä¶àÖÖ²úÆ·£¨ÖØҪΪÖÇÄÜ»¥»»»ú£©ÖеÄ3¸ö°²È«·ì϶£¬¹¥»÷Õß¿ÉÄÜ»áÀÄÓÃÕâЩ·ì϶À´½ÚÔìÊÜÓ°ÏìµÄÉ豸¡£

 

0x01 ·ì϶ÏêÇé

image.png

Netgear ½«ÕâЩ·ì϶¼ø±ðΪ PSV-2021-0140¡¢PSV-2021-0144ºÍPSV-2021-0145£¬Ä¿Ç°ÔÝδ·ÖÅäCVE±àºÅ¡£Õâ3¸ö·ì϶µÄ´úºÅ±ðÀëΪ:

Demon's Cries

¸Ã·ì϶ΪÉí·ÝÑéÖ¤Èƹý·ì϶£¬ÆäCVSSv3ÆÀ·ÖΪ8.8/9.8¡£¹¥»÷ÕßÄܹ»ÀûÓô˷ì϶½ÚÔìÒ×Êܹ¥»÷µÄÉ豸£¬µ«ÒªÀûÓô˷ì϶£¬±ØÒªNetgear ÖÇÄܽÚÔìÖÐÐÄ (SCC) Ö°ÄÜ´¦Óڻ״̬£¬¶øĬÈÏÅäÖÃÖÐÒѽ«Æä¹Ø¹Ø¡£Ä¿Ç°´Ë·ì϶µÄPoC/EXPÒѾ­¹«¿ª¡£

 

Draconian Fear

¸Ã·ì϶ΪÉí·ÝÑéÖ¤½Ù³Ö·ì϶£¬ÆäCVSSv3ÆÀ·ÖΪ7.8¡£¸Ã·ì϶±ØÒªÓëÖÎÀíÔ±Ò»ÑùµÄ±¾µØ IP µØÖ·À´½Ù³Ö»á»°Êèµ¼ÐÅÏ¢£¬³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷Õß½«Õ¼ÓжÔÉ豸 Web Óû§½çÃæµÄÖÎÀíÔ±½Ó¼ûȨÏÞ£¬´Ó¶øÆëÈ«½ÚÔìÉ豸¡£¸Ã·ì϶µÄ¹¥»÷ÏòÁ¿Îª±¾µØ£¬¹¥»÷¸´ÔӶȵÍ£¬ÇÒÎÞÐèÓû§½»»¥¡£Ä¿Ç°´Ë·ì϶µÄPoC/EXPÒѾ­¹«¿ª¡£

 

Seventh Inferno

¸Ã·ì϶µÄ¾ßÌåÐÅÏ¢½«ÓÚ 9 Ô 13 ÈÕ»òÖ®ºó°ä²¼£¬Ä¿Ç°ÉÐδ¹«¿ª¡£

 

0x02 ´ëÖý¨Òé

Ä¿Ç°NETGEAR ÒÑÕë¶ÔÒÔϲúÆ·ÐͺÁ÷ÅÉĶà¸ö°²È«·ì϶°ä²¼Á˲¹¶¡£¬½¨ÒéʹÓÃÒÔÏÂÊÜÓ°ÏìÐͺŵÄÓû§ÊµÊ±Éý¼¶¸üÐÂÖÁ×îа汾£º

GC108P£¨×îй̼þ°æ±¾£º1.0.8.2£©

GC108PP£¨×îй̼þ°æ±¾£º1.0.8.2£©

GS108Tv3£¨×îй̼þ°æ±¾£º7.0.7.2£©

GS110TPP£¨×îй̼þ°æ±¾£º7.0.7.2£©

GS110TPv3£¨×îй̼þ°æ±¾£º7.0.7.2£©

GS110TUP£¨×îй̼þ°æ±¾£º1.0.5.3£©

GS308T£¨×îй̼þ°æ±¾£º1.0.3.2£©

GS310TP£¨×îй̼þ°æ±¾£º1.0.3.2£©

GS710TUP£¨×îй̼þ°æ±¾£º1.0.5.3£©

GS716TP£¨×îй̼þ°æ±¾£º1.0.4.2£©

GS716TPP£¨×îй̼þ°æ±¾£º1.0.4.2£©

GS724TPP£¨×îй̼þ°æ±¾£º2.0.6.3£©

GS724TPv2£¨×îй̼þ°æ±¾£º2.0.6.3£©

GS728TPPv2£¨×îй̼þ°æ±¾£º6.0.8.2£©

GS728TPv2£¨×îй̼þ°æ±¾£º6.0.8.2£©

GS750E£¨×îй̼þ°æ±¾£º1.0.1.10£©

GS752TPP£¨×îй̼þ°æ±¾£º6.0.8.2£©

GS752TPv2£¨×îй̼þ°æ±¾£º6.0.8.2£©

MS510TXM£¨×îй̼þ°æ±¾£º1.0.4.2£©

MS510TXUP£¨×îй̼þ°æ±¾£º1.0.4.2£©

 

ÏÂÔØÁ´½Ó£º

https://www.netgear.com/support/

 

0x03 ²Î¿¼Á´½Ó

https://kb.netgear.com/000063978/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Smart-Switches-PSV-2021-0140-PSV-2021-0144-PSV-2021-0145

https://thehackernews.com/2021/09/critical-auth-bypass-bug-affect-netgear.html

https://www.bleepingcomputer.com/news/security/netgear-fixes-severe-security-bugs-in-over-a-dozen-smart-switches/

https://gynvael.coldwind.pl/?id=740

https://gynvael.coldwind.pl/?id=741

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

Åú¸ÄÄÚÈÝ

V1.0

2021-09-07

³õ´Î°ä²¼

 

0x05 Îĵµ¸½Â¼

CNVD£ºwww.cnvd.org.cn

CNNVD£ºwww.cnnvd.org.cn

CVE£ºcve.mitre.org

CVSS£ºwww.first.org

NVD£ºnvd.nist.gov

 

0x06 ¹ØÓÚGA»Æ½ð¼×

¹Ø×¢ÒÔϹ«¼ÒºÅ£¬»ñÈ¡¸ü¶à×ÊѶ£º

image.png