CVE-2023-38095
📋 TL;DR
This vulnerability allows authenticated remote attackers to bypass authentication and upload arbitrary files to NETGEAR ProSAFE Network Management System, leading to remote code execution with SYSTEM privileges. Affected installations of NETGEAR ProSAFE Network Management System are vulnerable to complete system compromise.
💻 Affected Systems
- NETGEAR ProSAFE Network Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, allowing attacker to install malware, exfiltrate data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to installation of backdoors, credential theft, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, file upload restrictions, and authentication hardening are in place.
🎯 Exploit Status
Authentication bypass required but documented. ZDI-CAN-19717 reference suggests detailed exploitation knowledge exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0.22
Vendor Advisory: https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025
Restart Required: Yes
Instructions:
1. Download version 1.7.0.22 from NETGEAR support portal. 2. Backup current configuration. 3. Install the update following NETGEAR's upgrade guide. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict File Upload Access
linuxBlock access to file upload endpoints at network perimeter
iptables -A INPUT -p tcp --dport [NMS_PORT] -m string --string "MFileUploadController" --algo bm -j DROP
Network Segmentation
allIsolate NMS system from internet and restrict internal access
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the NMS system
- Deploy web application firewall with file upload restrictions and authentication bypass detection
🔍 How to Verify
Check if Vulnerable:
Check NMS version in web interface or via system information. Versions below 1.7.0.22 are vulnerable.Check Version:
Check web interface at https://[NMS_IP]:[PORT]/system/info or equivalent endpointVerify Fix Applied:
Verify version shows 1.7.0.22 or higher in system information. Test file upload functionality with malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to MFileUploadController endpoints
- Authentication bypass attempts
- Unexpected SYSTEM privilege processes
Network Indicators:
- POST requests to file upload endpoints with unusual file extensions
- Traffic patterns indicating file uploads followed by command execution
SIEM Query:
source="NMS" AND (uri="*MFileUploadController*" OR process="cmd.exe" OR process="powershell.exe")🔗 References
- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025
- https://www.zerodayinitiative.com/advisories/ZDI-23-921/
- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025
- https://www.zerodayinitiative.com/advisories/ZDI-23-921/
