CVE-2021-40866
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to change the admin password on affected NETGEAR smart switches by sending specially crafted NSDP packets to the sccd daemon. The flaw occurs because the daemon fails to check authentication when the authentication TLV is missing from packets. This affects multiple NETGEAR smart switch models running vulnerable firmware versions.
💻 Affected Systems
- GC108P
- GC108PP
- GS108Tv3
- GS110TPP
- GS110TPv3
- GS110TUP
- GS308T
- GS310TP
- GS710TUP
- GS716TP
- GS716TPP
- GS724TPP
- GS724TPv2
- GS728TPPv2
- GS728TPv2
- GS750E
- GS752TPP
- GS752TPv2
- MS510TXM
- MS510TXUP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network switching infrastructure, allowing attackers to reconfigure VLANs, intercept traffic, disable ports, or use the switch as a pivot point to attack other network segments.
Likely Case
Unauthorized admin access to switches, enabling network reconnaissance, traffic manipulation, and potential denial of service through configuration changes.
If Mitigated
Limited impact if switches are properly segmented, have restricted management interfaces, and are monitored for unauthorized configuration changes.
🎯 Exploit Status
Exploitation requires sending crafted NSDP packets to UDP port 63322. Public proof-of-concept code exists demonstrating the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See affected_systems.versions for specific fixed versions per model
Vendor Advisory: https://kb.netgear.com/000063978/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Smart-Switches-PSV-2021-0140-PSV-2021-0144-PSV-2021-0145
Restart Required: Yes
Instructions:
1. Identify affected switch models and current firmware versions. 2. Download appropriate firmware updates from NETGEAR support site. 3. Upload firmware to switch via web interface or CLI. 4. Apply update and reboot switch.
🔧 Temporary Workarounds
Disable sccd daemon
allDisable the vulnerable sccd daemon if not required for network operations
Configuration varies by model - consult NETGEAR documentation for CLI/web interface commands to disable sccd
Restrict management access
allLimit access to switch management interfaces to trusted IP addresses only
Configure ACLs to restrict access to UDP port 63322 and other management ports
🧯 If You Can't Patch
- Segment switches on isolated management VLANs with strict access controls
- Implement network monitoring for unauthorized NSDP traffic and configuration changes
🔍 How to Verify
Check if Vulnerable:
Check switch firmware version via web interface (System Information) or CLI (show version) and compare against patched versions listed in affected_systems.versionsCheck Version:
CLI: show version | include FirmwareVerify Fix Applied:
Confirm firmware version matches or exceeds patched versions listed in affected_systems.versions📡 Detection & Monitoring
Log Indicators:
- Unexpected admin password changes
- Unauthorized configuration modifications
- Failed authentication attempts followed by successful admin actions
Network Indicators:
- NSDP packets (UDP 63322) from unauthorized sources
- Unusual traffic patterns to/from switch management interfaces
SIEM Query:
Example: (destination_port:63322 AND protocol:UDP) OR (event_type:"password change" AND device_type:"switch")🔗 References
- https://gynvael.coldwind.pl/?id=740
- https://kb.netgear.com/000063978/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Smart-Switches-PSV-2021-0140-PSV-2021-0144-PSV-2021-0145
- https://gynvael.coldwind.pl/?id=740
- https://kb.netgear.com/000063978/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Smart-Switches-PSV-2021-0140-PSV-2021-0144-PSV-2021-0145
