CVE-2024-5245 – This vulnerability allows local attackers with ... (How to Fix)

Q: What is the severity of CVE-2024-5245?

CVE-2024-5245 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers with low-privileged access to escalate to SYSTEM privileges on NETGEAR ProSAFE Network Management System installations. Attackers can exploit default MySQL credentials in the installer to execute arbitrary code. Only users running affected NETGEAR NMS versions are impacted.

📋 TL;DR

This vulnerability allows local attackers with low-privileged access to escalate to SYSTEM privileges on NETGEAR ProSAFE Network Management System installations. Attackers can exploit default MySQL credentials in the installer to execute arbitrary code. Only users running affected NETGEAR NMS versions are impacted.

💻 Affected Systems

Products:

NETGEAR ProSAFE Network Management System (NMS300)

Versions: Versions prior to 1.7.0.20

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where default MySQL credentials were not changed during or after installation.

📦 What is this software?

Prosafe Network Management System by Netgear

View all CVEs affecting Prosafe Network Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, data theft, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to administrative control over the NMS system, potentially compromising managed network devices.

🟢

If Mitigated

Limited to low-privileged user compromise without ability to escalate if proper access controls and credential management are implemented.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Internal attackers with low-privileged access can achieve full system compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires existing low-privileged access to the system. Exploitation involves using known default credentials to access MySQL database with elevated privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0.20

Vendor Advisory: https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004

Restart Required: Yes

Instructions:

1. Download NMS300 version 1.7.0.20 from NETGEAR support site. 2. Backup current configuration. 3. Run installer as administrator. 4. Follow upgrade prompts. 5. Restart system after installation completes.

🔧 Temporary Workarounds

Change MySQL Default Credentials

windows

Manually change the default MySQL root password used by the NMS installer

mysql -u root -p[default_password]
ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_strong_password';
FLUSH PRIVILEGES;

Restrict Local User Access

windows

Implement strict access controls to prevent unauthorized local users from accessing the NMS system

🧯 If You Can't Patch

Isolate the NMS system on a dedicated management VLAN with strict access controls
Implement application whitelisting to prevent execution of unauthorized code on the NMS host

🔍 How to Verify

Check if Vulnerable:

Check NMS version in Help > About. If version is earlier than 1.7.0.20, system is vulnerable. Also check if MySQL is using default credentials.

Check Version:

Check Help > About in NMS GUI or examine installed programs in Windows Control Panel

Verify Fix Applied:

Confirm version shows 1.7.0.20 or later in Help > About. Test that default MySQL credentials no longer provide access.

📡 Detection & Monitoring

Log Indicators:

Failed MySQL authentication attempts followed by successful login with default credentials
Unusual process execution with SYSTEM privileges from non-admin accounts
Installation of new services or scheduled tasks

Network Indicators:

Unexpected outbound connections from NMS system
Database connection attempts from unauthorized IPs

SIEM Query:

EventID=4625 (failed logon) AND AccountName='root' OR EventID=4688 (process creation) AND NewProcessName contains 'cmd.exe' AND SubjectUserName not in admin_users

📊 Metadata

CVE ID: CVE-2024-5245

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1392

Published: May 23, 2024

Last Updated: February 11, 2025

🔗 References

https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-496/ Third Party Advisory
https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-496/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5245, you might also want to check these: