NETGEAR is aware of a security vulnerability that can allow an unauthenticated attacker to execute commands with administrator privileges through the web interface of the M4300 family of fully managed switches and one model in the M4200 family of fully managed switches. This could allow an attacker to take over the switch, gain access to configuration files, or disrupt operation of the switch.
This vulnerability only occurs when an attacker is able to access the web interface of the switch. For most users, a firewall will block access from outside the local network.
This vulnerability affects the following products:
- M4200-10MG-POE+ (GSM4210P), firmware version 12.0.2.11 and earlier
- M4300-28G (GSM4328S), firmware version 12.0.2.11 and earlier
- M4300-52G (GSM4352S), firmware version 12.0.2.11 and earlier
- M4300-28G-POE+ (GSM4328PS), firmware version 12.0.2.11 and earlier
- M4300-52G-POE+ (GSM4352PS), firmware version 12.0.2.11 and earlier
- M4300-8X8F (XSM4316S), firmware version 12.0.2.11 and earlier
- M4300-12X12F (XSM4324S), firmware version 12.0.2.11 and earlier
- M4300-24X24F (XSM4348S), firmware version 12.0.2.11 and earlier
- M4300-24X (XSM4324CS), firmware version 12.0.2.11 and earlier
- M4300-48X (XSM4348CS), firmware version 12.0.2.11 and earlier
NETGEAR has released firmware fixes for all affected products. NETGEAR strongly recommends that all affected users download the firmware update that fixes the unauthenticated remote code execution vulnerability as soon as possible.
To download the latest firmware for your NETGEAR product:
- Visit the NETGEAR Download Center.
- Under Search for, select the check box next to Firmware/Software.
- Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
If you do not see a drop-down menu, make sure that you entered your model number correctly, or use the product drilldown to find your model.
- Click Release Notes under the most recent firmware version, which is the one closest to the top of the list.
Make sure that you are viewing release notes for a firmware version and not a software utility or an app. The title of the release notes page always begins with the words “Firmware Version.”
- Follow the instructions in the release notes to download and install the new firmware.
The potential for unauthenticated remote code execution remains if you do not update your firmware. NETGEAR is not responsible for any consequences that could have been avoided by updating your firmware as recommended in this notification.
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit https://bugcrowd.com/netgear.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
For all other issues, visit http://www.netgear.com/about/security/.
The security@netgear.com email address is no longer accepting messages and is no longer actively monitored.
Last Updated:05/09/2017
|
Article ID: 000038655