CVE-2020-35221
📋 TL;DR
This vulnerability allows attackers who capture network traffic to crack passwords on affected NETGEAR switches by exploiting weak hashing in the NSDP authentication protocol. Attackers can generate password collisions or infer password parts, potentially gaining administrative access. Organizations using these specific NETGEAR switch models with vulnerable firmware are affected.
💻 Affected Systems
- NETGEAR ProSAFE Plus JGS516PE
- NETGEAR ProSAFE Plus GS116Ev2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full administrative compromise of network switches, enabling network traffic interception, configuration changes, VLAN manipulation, and potential lateral movement to other systems.
Likely Case
Unauthorized administrative access to switches, allowing network disruption, configuration tampering, and credential harvesting from network traffic.
If Mitigated
Limited impact if switches are isolated, network monitoring detects unusual authentication attempts, and strong perimeter controls prevent external access.
🎯 Exploit Status
Exploitation requires network packet capture capability. The NCC Group research includes technical details that could be used to create exploit tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check NETGEAR for latest firmware updates
Vendor Advisory: https://kb.netgear.com/000062641/Security-Advisory-for-Password-Hashing-Vulnerability-on-Some-Switches-PSV-2020-0221
Restart Required: Yes
Instructions:
1. Log into switch management interface. 2. Navigate to firmware update section. 3. Download latest firmware from NETGEAR support site. 4. Upload and apply firmware update. 5. Reboot switch after update completes.
🔧 Temporary Workarounds
Disable NSDP authentication
allUse alternative authentication methods if available in switch configuration
Network segmentation
allIsolate switch management interfaces to trusted networks only
🧯 If You Can't Patch
- Implement strict network access controls to prevent unauthorized access to switch management interfaces
- Enable comprehensive logging and monitoring for authentication attempts and configuration changes
🔍 How to Verify
Check if Vulnerable:
Check switch firmware version via web interface or CLI. If version is v2.6.0.43 on affected models, device is vulnerable.Check Version:
Via web interface: System Information page. Via CLI: 'show version' or similar command depending on switch model.Verify Fix Applied:
Verify firmware version has been updated to a version later than v2.6.0.43. Check NETGEAR advisory for specific patched versions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts
- Unexpected successful logins from unusual IPs
- Configuration changes from unauthorized users
Network Indicators:
- Unusual NSDP protocol traffic patterns
- Packet capture tools running on network segments with switches
SIEM Query:
source="switch_logs" AND (event_type="authentication" AND result="success" AND user NOT IN authorized_users) OR (event_type="configuration_change" AND user NOT IN admin_users)