CVE-2023-38102
📋 TL;DR
This vulnerability allows authenticated attackers to bypass authorization checks in NETGEAR ProSAFE Network Management System's createUser function, enabling privilege escalation to administrative resources. Affected installations of NETGEAR ProSAFE NMS are vulnerable to this attack.
💻 Affected Systems
- NETGEAR ProSAFE Network Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the network management system, allowing them to create new admin accounts, modify configurations, and potentially compromise managed network devices.
Likely Case
Attackers with existing low-privilege accounts escalate to administrative privileges, gaining unauthorized access to sensitive network management functions.
If Mitigated
With proper network segmentation and access controls, impact is limited to the NMS system itself without lateral movement to managed devices.
🎯 Exploit Status
Requires authentication but bypasses authorization checks. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.7.0.34
Vendor Advisory: https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025
Restart Required: Yes
Instructions:
1. Download version 1.7.0.34 from NETGEAR support portal. 2. Backup current configuration. 3. Install the update following NETGEAR's installation guide. 4. Restart the NMS service.
🔧 Temporary Workarounds
Network Segmentation
allIsolate NMS system from general network access
Access Restriction
linuxRestrict access to NMS to trusted IP addresses only
iptables -A INPUT -p tcp --dport [NMS_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [NMS_PORT] -j DROP
🧯 If You Can't Patch
- Remove all non-essential user accounts from the NMS system
- Implement strict network access controls and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check NMS version in web interface or via system information. If version is below 1.7.0.34, system is vulnerable.Check Version:
Check web interface at http://[NMS_IP]/about or examine installed software version in control panel.Verify Fix Applied:
Verify version shows 1.7.0.34 or higher after update installation.📡 Detection & Monitoring
Log Indicators:
- Unauthorized createUser API calls
- User privilege escalation events
- Multiple failed authentication attempts followed by successful createUser
Network Indicators:
- HTTP POST requests to createUser endpoint from non-admin accounts
- Unusual account creation patterns
SIEM Query:
source="nms_logs" AND (event="createUser" OR event="user_created") AND user_role!="admin"🔗 References
- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025
- https://www.zerodayinitiative.com/advisories/ZDI-23-914/
- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025
- https://www.zerodayinitiative.com/advisories/ZDI-23-914/
