CVE-2023-49693 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2023-49693?

CVE-2023-49693 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary code on NETGEAR ProSAFE Network Management System devices by exploiting the exposed Java Debug Wire Protocol (JDWP) service on port 11611. It affects organizations using NETGEAR NMS300 systems for network management, potentially leading to complete system compromise.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on NETGEAR ProSAFE Network Management System devices by exploiting the exposed Java Debug Wire Protocol (JDWP) service on port 11611. It affects organizations using NETGEAR NMS300 systems for network management, potentially leading to complete system compromise.

💻 Affected Systems

Products:

NETGEAR ProSAFE Network Management System 300 (NMS300)

Versions: All versions prior to 1.7.0.15

Operating Systems: Linux-based embedded OS

Default Config Vulnerable: ⚠️ Yes

Notes: The JDWP service is enabled by default on port 11611 and accessible to all network interfaces.

📦 What is this software?

Prosafe Network Management System by Netgear

View all CVEs affecting Prosafe Network Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, lateral movement to other network devices, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to network reconnaissance, credential theft, and deployment of ransomware or other malware.

🟢

If Mitigated

Limited to network scanning and service enumeration if proper network segmentation and firewall rules are in place.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication, enabling remote attackers to gain full control.

🏢 Internal Only: HIGH - Even internally, this provides unauthenticated attackers with a powerful foothold for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

JDWP exploitation tools are widely available, making this trivial to exploit with existing frameworks like Metasploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0.15

Vendor Advisory: https://kb.netgear.com/000065886/Security-Advisory-for-Sensitive-Information-Disclosure-on-the-NMS300-PSV-2023-0126

Restart Required: Yes

Instructions:

1. Download firmware version 1.7.0.15 from NETGEAR support site. 2. Log into NMS300 web interface. 3. Navigate to Administration > Firmware Update. 4. Upload and install the new firmware. 5. Reboot the system after installation completes.

🔧 Temporary Workarounds

Block JDWP Port at Firewall

linux

Block inbound and outbound traffic to port 11611/TCP at network firewalls to prevent remote exploitation.

iptables -A INPUT -p tcp --dport 11611 -j DROP
iptables -A OUTPUT -p tcp --dport 11611 -j DROP

Disable JDWP Service

linux

Disable the Java Debug Wire Protocol service if debugging functionality is not required.

systemctl stop nms-jdwp-service
systemctl disable nms-jdwp-service

🧯 If You Can't Patch

Isolate the NMS300 system on a dedicated management VLAN with strict access controls.
Implement network segmentation to prevent the NMS300 from communicating with critical infrastructure.

🔍 How to Verify

Check if Vulnerable:

Run 'nmap -p 11611 <nms_ip>' to check if port 11611 is open and accessible. If open, the system is vulnerable.

Check Version:

curl -k https://<nms_ip>/api/system/info | grep version

Verify Fix Applied:

Check the firmware version in the web interface under Administration > System Information. Verify it shows 1.7.0.15 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual Java process spawns
Connection attempts to port 11611 from unexpected sources
JDWP protocol traffic in application logs

Network Indicators:

TCP connections to port 11611 from external IPs
JDWP protocol handshake patterns in network traffic

SIEM Query:

source_port=11611 OR dest_port=11611 | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2023-49693

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: November 29, 2023

Last Updated: November 21, 2024

🔗 References

https://kb.netgear.com/000065886/Security-Advisory-for-Sensitive-Information-Disclosure-on-the-NMS300-PSV-2023-0126 Vendor Advisory
https://www.tenable.com/security/research/tra-2023-39 Exploit,Third Party Advisory
https://kb.netgear.com/000065886/Security-Advisory-for-Sensitive-Information-Disclosure-on-the-NMS300-PSV-2023-0126 Vendor Advisory
https://www.tenable.com/security/research/tra-2023-39 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49693, you might also want to check these: