NETGEAR has released a firmware update to address a vulnerability in its WMS5316 ProSafe 16AP Wireless Management System that could result in authentication bypass and privilege escalation.
The flaw was discovered by Elliott Lewis of Reinforce Services back in April 2015, and was responsibly disclosed with the vendor, which has made a new firmware version available for download to resolve the issue.
The issue has been found to affect all WMS5316 ProSafe 16AP Wireless Management System devices that are running firmware version 18.104.22.168 (Build 1236), but there is a possibility that other firmware releases are also affected. Firmware version 2.1.5 includes a fix for the flaw.
As disclosed on the Full Disclosure mailing list, NETGEAR confirmed that it discovered the vulnerability in other products as well, but did not offer additional details on the matter.
The process of exploiting the flaw to bypass the authentication process and escalate privileges is a rather simple one, given that it only requires for an attacker to include the "&" symbol anywhere in the password value in the login request.
It appears that the system automatically accepts the provided credentials and offers access to the Graphical User Interface, although the account would appear restricted (this would be only the client side). Next, the attacker can send a request to add a new administrative user, which is then available for use.
According to Lewis, this is not the only manner in which the aforementioned products can be exploited. An attacker can also "modify the Java code on its way down to a browser to enable all of the admin functions rather than creating a new user."
This method of bypassing the authentication process also works, which means that cybercriminals do not necessarily need to create a new users to gain access to the affected Wireless Management System. The researcher notes that the bypass "user" gains full admin access if needed and that there are few indicators of compromise.
On its support website, NETGEAR notes that the newly released firmware version 2.1.5 offers a fix for a "security vulnerability where unauthenticated login possible and gain full admin access," and another for a "security vulnerability where authentication can be bypassed and unauthenticated OS command can be injected."
Owners of WMS5316 ProSafe 16AP Wireless Management System devices are advised to update them to the latest software version. Details on how to perform the update can be found on NETGEAR's website.