CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.2%
Netgear Management System NMS300, version 1.5.0.11 and earlier, is vulnerable to arbitrary file upload, which may be leveraged by unauthenticated users to execute arbitrary code with SYSTEM privileges. A directory traversal vulnerability enables authenticated users to download arbitrary files.
Netgear Management System NMS300 is a configuration, monitoring, and diagnostics utility for managing SNMP networked devices via a web interface.
CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-1524
Default installations of NMS300 operate two Java servlets, http://<IP>:8080/fileUpload.do
and http://<IP>:8080/lib-1.0/external/flash/fileUpload.do
, that can be accessed by unauthenticated users. By sending a specially crafted POST request to the servlets, an attacker can upload arbitrary files that will then be accessible from the NMS300 server’s root directory as http://<IP>:8080/``null<filename>
. The NMS300 server runs with SYSTEM privileges.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) - CVE-2016-1525
NMS300 contains a directory traversal vulnerability. An authenticated attacker can manipulate the realName
parameter of a crafted POST request sent to http://<IP>:8080/data/config/image.do?method=add
to load an arbitrary local file from the server host to a predictable location in the web service. The file can then be downloaded from http://<IP>:8080/data/config/image.do?method=``export&imageId=<ID>
, where <ID> is a count that increments by one every time a file is uploaded in this manner.
For more information, refer to Pedro Ribeiro’s disclosure. The CVSS score describes CVE-2016-1524.
An unauthenticated attacker on the network can upload arbitrary files to the server’s root web directory, leading to data creation and arbitrary code execution with SYSTEM privileges. An authenticated attacker on the network can access any file on the server host.
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.
Restrict access
Enable firewall rules to restrict untrusted sources from accessing the web management interface.
777024
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 04, 2015 Updated: January 25, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.5 | E:POC/RL:U/RC:C |
Environmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Pedro Ribeiro ([email protected]) of Agile Information Security for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2016-1524, CVE-2016-1525 |
---|---|
Date Public: | 2016-02-03 Date First Published: |
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.2%