NETGEAR is aware of a security issue that can allow an attacker to bypass authentication on some models of NETGEAR Web Managed Switches and gain access to a switch’s configuration file and password. This vulnerability only occurs when an attacker is on the same subnet as the switch.
This vulnerability affects the following products:
- JGS516PE
- JGS524Ev2
- JGS524PE
- GS105Ev2
- GS105PE
- GS108Ev3
- GS108PEv3
- GS116Ev2
- GSS108E
- GSS116E
- XS708Ev2
- XS716E
Firmware fixes are currently available for all affected products. NETGEAR strongly recommends that all affected users download the firmware version that fixes the authentication bypass vulnerability as soon as possible.
To download the firmware update that fixes the authentication bypass vulnerability:
- Visit the NETGEAR Download Center.
- Under Search for, select the check box next to Firmware/Software.
- Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
If you do not see a drop-down menu, make sure that you entered your model number correctly, or use the product drilldown to find your model.
- Click on the most recent firmware version, which is the one closest to the top of the list.
The firmware download starts as soon as you select a destination for the download.
Make sure that you download a file marked as a firmware version and not as a software utility.
- (Optional) To view the release notes for this firmware version, click Release Notes.
- Unzip the new firmware to an easy-to-find location, such as your desktop.
- Install the new firmware according to the instructions in your product’s user manual, which is available under Documentation in the Download Center.
The potential for authentication bypass remains if you do not update your firmware. NETGEAR is not responsible for any consequences that could have been avoided by updating your firmware as recommended in this notification.
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit https://bugcrowd.com/netgear.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
For all other issues, visit http://www.netgear.com/about/security/.
The security@netgear.com email address is no longer accepting messages and is no longer actively monitored.
Last Updated:05/11/2017
|
Article ID: 000037849