CVE-2024-6813
📋 TL;DR
This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands on NETGEAR ProSAFE Network Management System installations, potentially leading to remote code execution with SYSTEM privileges. It affects organizations using the vulnerable NMS300 software for network management.
💻 Affected Systems
- NETGEAR ProSAFE Network Management System 300 (NMS300)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing attacker to install malware, exfiltrate data, pivot to other systems, or disrupt network operations.
Likely Case
Data theft, privilege escalation, and potential lateral movement within the network environment.
If Mitigated
Limited to authenticated user's permissions if proper input validation and least privilege principles are implemented.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and this one leads to RCE with high privileges. Authentication requirement is the main barrier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0.15
Vendor Advisory: https://kb.netgear.com/000066231/Security-Advisory-for-SQL-Injection-on-the-NMS300-PSV-2024-0018
Restart Required: Yes
Instructions:
1. Download NMS300 version 1.7.0.15 from NETGEAR support site. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the NMS service or system.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to NMS management interface to trusted IP addresses only.
Use firewall rules to limit TCP/443 access to NMS interface from authorized management stations only.
Credential Hardening
allImplement strong authentication controls and monitor for suspicious login attempts.
Enforce complex passwords, enable account lockout policies, and implement multi-factor authentication if supported.
🧯 If You Can't Patch
- Isolate the NMS system on a dedicated management VLAN with strict access controls.
- Implement a web application firewall (WAF) with SQL injection protection rules in front of the NMS.
🔍 How to Verify
Check if Vulnerable:
Check NMS version in web interface under Help > About. If version is below 1.7.0.15, system is vulnerable.Check Version:
Check web interface at https://[nms-ip]/help/about or examine installed programs in Windows Control Panel.Verify Fix Applied:
Verify version shows 1.7.0.15 or higher after patching. Test SQL injection attempts should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by successful login
- Unexpected process execution with SYSTEM privileges
Network Indicators:
- SQL injection patterns in HTTP POST requests to NMS endpoints
- Unusual outbound connections from NMS server
SIEM Query:
source="nms_logs" AND (http_uri="*getSortString*" AND http_post_data MATCHES "*UNION*|*SELECT*|*INSERT*|*UPDATE*|*DELETE*")