CVE-2023-38098
published 2024-05-03CVE-2023-38098: NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.79%
94.9th percentile
NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19720.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | prosafe_network_management_system | < 1.7.0.20 | 1.7.0.20 |
| netgear | prosafe_network_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated or authentication-bypassed HTTP requests targeting the UpLoadServlet endpoint on NETGEAR ProSAFE NMS installations. ↗
- →Detect arbitrary file uploads (e.g., web shells or executables) via the UpLoadServlet or FileUploadController endpoints; successful exploitation results in code execution as SYSTEM. ↗
- →Alert on exploitation chains involving authentication bypass combined with file upload requests to NETGEAR ProSAFE NMS300, particularly targeting FileUploadController and MyHandlerInterceptor classes. ↗
- →Watch for Meterpreter session establishment originating from NETGEAR NMS300 host processes running as SYSTEM, which may indicate successful exploitation. ↗
- ·Authentication is required to exploit this vulnerability, but the existing authentication mechanism can be bypassed — treat all NMS300 HTTP sessions as potentially untrusted. ↗
- ·The Metasploit module has been confirmed to work against NMS300 versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1; detections should cover all these versions. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025https://www.zerodayinitiative.com/advisories/ZDI-23-918/https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025https://www.zerodayinitiative.com/advisories/ZDI-23-918/
2024-05-03
Published