NETGEAR is aware of a security issue in the ProSAFE Plus Configuration Utility that allows an unauthenticated user to change settings on NETGEAR switches that the ProSAFE Plus Utility can configure. This insecure Simple Object Access Protocol (SOAP) access vulnerability can only be exploited from a computer on the local network and must be exploited while the utility is running.
This vulnerability is present in the following utility versions:
- ProSAFE Plus Configuration Utility versions earlier than 2.3.29
This vulnerability affects all products that can be configured with the ProSAFE Plus Configuration Utility:
- FS116E
- GS105E
- GS105Ev2
- GS105PE
- GS108Ev1
- GS108Ev2
- GS108Ev3
- GS108PEv1
- GS108PEv2
- GS108PEv3
- GS116E
- GS116Ev2
- GS408EPP
- GSS108E
- GSS108EPP
- GSS116E
- JFS524E
- JGS516PE
- JGS524E
- JGS524Ev2
- JGS524PE
- XS708E
- XS708Ev2
- XS716E
NETGEAR has released an update to the ProSAFE Plus Configuration Utility that fixes the insecure SOAP access vulnerability. ProSAFE Plus Configuration Utility versions 2.3.29 and later are not affected by this vulnerability.
NETGEAR recommends that all users upgrade to the latest version of the ProSAFE Plus Utility as soon as possible.
To download the latest version of the ProSAFE Plus Configuration Utility:
- Visit the NETGEAR Download Center.
- Under Search for, select the check box next to Firmware/Software.
- Enter ProSAFE Plus Utility in the search box and click the magnifying glass.
- Select ProSAFE Plus Utility from the drop-down menu.
- Click the most recent version, which is the one closest to the top of the list.
The download starts as soon as you select a destination for the download.
- (Optional) To view the release notes for this utility version, click Release Notes.
- Unzip the new utility version to an easy-to-find location, such as your desktop.
- Double-click the new utility version and click Yes to confirm that you want to upgrade to the new version of the utility.
- Follow the on-screen instructions to install the latest version of the ProSAFE Plus Utility.
The potential for insecure SOAP access remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by upgrading to the latest version of the ProSAFE Plus Configuration Utility as recommended in this notification.
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit https://bugcrowd.com/netgear.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
For all other issues, visit http://www.netgear.com/about/security/.
The security@netgear.com email address is no longer accepting messages and is no longer actively monitored.
Last Updated:04/13/2017
|
Article ID: 000038443