Executive Summary

Summary
Title NetGear WNAP210 remote password disclosure and password bypass vulnerability
Informations
Name VU#644812 First vendor Publication 2011-04-05
Vendor VU-CERT Last vendor Modification 2011-04-05
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#644812

NetGear WNAP210 remote password disclosure and password bypass vulnerability

Overview

NetGear WNAP210 is vulnerable to remote administrator password disclosure and administrative web page login bypass.

I. Description

Netgear's ProSafe Wireless-N Access Point WNAP210 contains a vulnerability which may allow a remote unauthenticated attacker to recover the device's administrator password. An attacker with network access to the device can navigate to the web page http://NetGearDeviceIP/BackupConfig.php. The attacker will be prompted to download the device's configuration without entering any login credentials. This configuration file will contain the device's administrator password stored in plaintext.

A second vulnerability found in Netgear's ProSafe Wireless-N Access Point WNAP210 allows a remote unauthenticated attacker to bypass the device's login web page allowing the attacker to directly access the device's configuration web page. An attacker with network access to the device can navigate to the web page http://NetGearDeviceIP/recreate.php. The web page will display "recreateok". Next the attacker would navigate to the web page http://NetGearDeviceIP/index.php, permitting them direct access to the device's configuration web page without entering any login credentials.

This vulnerability has been reported in Netgear's ProSafe Wireless-N Access Point WNAP210 firmware version 2.0.12.

II. Impact

A remote unauthenticated attacker may be able to retrieve the device's administrator password, and bypass the device's login web page allowing them to directly access the device's configuration web page.

III. Solution

We are currently unaware of a practical solution to this problem.

Restrict network access

Restrict network access to the Netgear's ProSafe Wireless-N Access Point WNAP210 system web interface and other devices using open protocols like HTTP.

Vendor Information

VendorStatusDate NotifiedDate Updated
Netgear, Inc.Unknown2011-01-102011-01-10

References

http://www.netgear.com/products/business/access-points-wireless-controllers/access-points/WNAP210.aspx

Credit

Thanks to Trevor Seward for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-04-05
Date First Published:2011-04-05
Date Last Updated:2011-04-05
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:5.10
Document Revision:15

Original Source

Url : http://www.kb.cert.org/vuls/id/644812

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-310 Cryptographic Issues
50 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Hardware 1

Open Source Vulnerability Database (OSVDB)

Id Description
73422 NetGear ProSafe WNAP210 recreate.php Configuration Page Remote Authentication...
73421 NetGear ProSafe WNAP210 BackupConfig.php Admin Password Remote Disclosure