CVE-2020-35231
📋 TL;DR
This vulnerability allows attackers to bypass authentication controls in NETGEAR switches by exploiting flaws in the NSDP protocol implementation. Attackers can gain full administrative control of affected devices. This affects NETGEAR JGS516PE and GS116Ev2 switches running vulnerable firmware.
💻 Affected Systems
- NETGEAR JGS516PE
- NETGEAR GS116Ev2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network switch allowing traffic interception, VLAN hopping, network segmentation bypass, and persistent backdoor access to the entire network segment.
Likely Case
Unauthorized administrative access to switch configuration, enabling network reconnaissance, traffic redirection, and denial of service attacks.
If Mitigated
Limited impact if switches are isolated in management VLANs with strict access controls, though authentication bypass still presents significant risk.
🎯 Exploit Status
Technical details and proof-of-concept are publicly available in NCC Group advisory. Exploitation requires network access to the switch management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.6.0.48 or later
Vendor Advisory: https://kb.netgear.com/000062641/Security-Advisory-for-Authentication-Bypass-on-Some-Smart-Managed-Plus-Switches-PSV-2020-0220
Restart Required: Yes
Instructions:
1. Download latest firmware from NETGEAR support site. 2. Log into switch web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload and install new firmware. 5. Reboot switch after installation completes.
🔧 Temporary Workarounds
Disable NSDP Protocol
allDisable the vulnerable NSDP protocol if not required for network operations.
Configure via web interface: System > Management > NSDP > Disable
Restrict Management Access
allLimit management interface access to trusted IP addresses only.
Configure via web interface: System > Management > Access Control > Add trusted IP ranges
🧯 If You Can't Patch
- Isolate affected switches in dedicated management VLAN with strict firewall rules
- Implement network segmentation to limit lateral movement if switch is compromised
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Management > Firmware Version. If version is v2.6.0.43 or earlier, device is vulnerable.Check Version:
Web interface: System > Management > Firmware VersionVerify Fix Applied:
Verify firmware version is v2.6.0.48 or later after patching. Test authentication controls by attempting unauthorized NSDP protocol access.📡 Detection & Monitoring
Log Indicators:
- Unauthorized authentication attempts via NSDP
- Unexpected configuration changes
- Multiple failed login attempts followed by successful access
Network Indicators:
- NSDP protocol traffic from unauthorized sources
- Unexpected management traffic patterns
- Port scanning targeting switch management interfaces
SIEM Query:
source_ip=* AND destination_port=63322 AND protocol=UDP AND (event_type="authentication_failure" OR event_type="configuration_change")