Critical security flaws discovered in Netgear NMS300 software

UK–based security firm Agile Information Security has announced that it has discovered serious issues with the Netgear NMS300 Prosafe network management system.

The software runs on Windows computers and allows system administrators to manage network devices such as switches, routers, firewalls and any other device that supports SNMP.

The software is free to use for networks with less than 200 devices, which makes it an attractive network management system for small and medium enterprises. However, critical flaws have been discovered with its web server application, which enables supervisors to remotely access and configure network devices. One flaw is that the application’s web server allows unauthenticated users to upload files to the server. However, as NetGear NMS300 runs on top of Windows on an administrator account, these files could then be run with administrator privileges.

A second flaw that was also discovered revealed that files could be read and uploaded from the underlying Windows OS and then made available to be read or downloaded, in effect making everything on the host server vulnerable.

The CERT Coordination Center at Carnegie Mellon University, advises administrators who use the Netgear NMS300 application to restrict access from untrusted networks and put firewall access-lists in place to prevent remote access to the Netgear NMS300 to all but essential users.

Photo Credit: Pavel Ignatov/Shutterstock