CVE-2020-35229
📋 TL;DR
This vulnerability allows attackers with network access to reuse authentication tokens indefinitely on affected NETGEAR switches, effectively bypassing authentication and gaining administrative privileges. It affects NETGEAR JGS516PE and GS116Ev2 switches running vulnerable firmware versions. Attackers need to capture network traffic containing a valid token to exploit this flaw.
💻 Affected Systems
- NETGEAR JGS516PE
- NETGEAR GS116Ev2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full administrative compromise of the switch allowing configuration changes, traffic interception, network disruption, and potential lateral movement to other network devices.
Likely Case
Unauthorized administrative access to the switch enabling configuration changes, VLAN manipulation, and network monitoring.
If Mitigated
Limited impact if switches are isolated from untrusted networks and proper network segmentation is in place.
🎯 Exploit Status
Exploitation requires capturing a valid authentication token from network traffic, then reusing it in subsequent requests. No authentication bypass for initial token acquisition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.0.44 or later
Vendor Advisory: https://kb.netgear.com/000062641/Security-Advisory-for-Authentication-Token-Reuse-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0213
Restart Required: Yes
Instructions:
1. Log into NETGEAR support portal. 2. Download firmware v2.6.0.44 or later. 3. Upload firmware to switch via web interface. 4. Reboot switch after installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate switch management interfaces from untrusted networks and user VLANs
Disable Unnecessary Protocols
allDisable NSDP protocol if not required for management
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach switch management interfaces
- Monitor network traffic for unusual NSDP protocol activity and token reuse patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Maintenance > Firmware Update. If version is v2.6.0.43 or earlier, device is vulnerable.Check Version:
No CLI command available. Use web interface: System > Maintenance > Firmware UpdateVerify Fix Applied:
After patching, verify firmware version shows v2.6.0.44 or later. Test that authentication tokens expire properly after use.📡 Detection & Monitoring
Log Indicators:
- Multiple successful administrative actions from same IP with same token
- Unusual configuration changes from unexpected sources
Network Indicators:
- Repeated NSDP protocol requests with same authentication token
- NSDP traffic from unauthorized network segments
SIEM Query:
source_ip=* AND protocol=NSDP AND auth_token=* GROUP BY auth_token COUNT > 1