Multiple vulnerabilities in NETGEAR NMS300
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-5247 CVE-2024-5245 CVE-2024-5246 CVE-2024-5505 |
| CWE-ID | CWE-434 CWE-1392 CWE-20 CWE-22 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
NMS300 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | NETGEAR |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
Updated 06.06.2024
Added vulnerability #4
1) Arbitrary file upload
EUVDB-ID: #VU89818
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-5247
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the UpLoadServlet class. A remote user can upload a malicious file and execute it on the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNMS300: before 1.7.0.37
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-498/
https://kb.netgear.com/000066165/Security-Advisory-for-Missing-Function-Level-Access-Control-on-the-NMS300-PSV-2024-0005
https://www.zerodayinitiative.com/advisories/ZDI-24-515/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of default credentials
EUVDB-ID: #VU89820
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-5245
CWE-ID:
CWE-1392 - Use of Default Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the affected system.
The vulnerability exists due to the use of default MySQL credentials within the product installer. A local user can execute arbitrary code with elevated privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNMS300: before 1.7.0.37
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-496/
https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU89819
Risk: Medium
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-5246
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists within the product installer due to the use of a vulnerable version of Apache Tomcat. A remote user can execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNMS300: before 1.7.0.37
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-497/
https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Path traversal
EUVDB-ID: #VU91261
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-5505
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the UpLoadServlet class. A remote user can send a specially crafted HTTP request and read arbitrary files on the system, leading to arbitrary code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsNMS300: before 1.7.0.37
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-563/
https://kb.netgear.com/000066192/Security-Advisory-for-Missing-Function-Level-Access-Control-on-the-NMS300-PSV-2024-0008
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
