3.3 - VU#396212

Executive Summary

Summary
Title	Netgear ProSafe Plus Configuration Utility writes out plaintext passwords to backup configuration files

Informations
Name	VU#396212	First vendor Publication	2014-09-08
Vendor	VU-CERT	Last vendor Modification	2014-09-08
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score	3.3	Attack Range	Adjacent network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	6.5	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#396212

Netgear ProSafe Plus Configuration Utility writes out plaintext passwords to backup configuration files

Original Release date: 08 Sep 2014 | Last revised: 08 Sep 2014

Overview

The Netgear ProSafe Plus Configuration Utility exposes password information via the configuration backup file.

Description

CWE-200 - Information Exposure

The Netgear ProSafe Plus Configuration Utility provides a feature to back up switch configuration. In the backup file, the device password is clearly visible in plaintext.

Impact

An unauthenticated attacker with access to the configuration backup file may be able to retrieve the administrative password to the device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Network administrators choosing to use configuration backup files should ensure that they are not accessible to unauthorized users.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Netgear, Inc.	Affected	25 Jul 2014	02 Sep 2014

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	2.9	AV:A/AC:M/Au:N/C:P/I:N/A:N
Temporal	2.8	E:F/RL:U/RC:C
Environmental	2.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://kb.netgear.com/app/answers/detail/a_id/12048/~/prosafe-plus-switches-faq
http://cwe.mitre.org/data/definitions/200.html

Credit

This document was written by Joel Land.

Other Information

CVE IDs:CVE-2014-4864
Date Public:08 Sep 2014
Date First Published:08 Sep 2014
Date Last Updated:08 Sep 2014
Document Revision:13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/396212

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-255	Credentials Management

CPE : Common Platform Enumeration

Type	Description	Count
Os	Netgear Prosafe Firmware cpe:2.3:o:netgear:prosafe_firmware:6.1.0.12:::::::* cpe:2.3:o:netgear:prosafe_firmware:5.4.1.14:::::::* cpe:2.3:o:netgear:prosafe_firmware:5.4.1.13:::::::* cpe:2.3:o:netgear:prosafe_firmware:5.4.1.10:::::::* cpe:2.3:o:netgear:prosafe_firmware:5.4.0.6:::::::* cpe:2.3:o:netgear:prosafe_firmware:5.3.0.17:::::::* cpe:2.3:o:netgear:prosafe_firmware:5.0.4.4:::::::*	7

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-09-10 21:29:28	Multiple Updates
2014-09-10 17:27:26	Multiple Updates
2014-09-09 00:20:43	First insertion

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	7

	Related
3.3	CVE-2014-4864
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)