search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Netgear ProSafe Plus Configuration Utility writes out plaintext passwords to backup configuration files

Vulnerability Note VU#396212

Original Release Date: 2014-09-08 | Last Revised: 2014-09-08

Overview

The Netgear ProSafe Plus Configuration Utility exposes password information via the configuration backup file.

Description

CWE-200 - Information Exposure

The Netgear ProSafe Plus Configuration Utility provides a feature to back up switch configuration. In the backup file, the device password is clearly visible in plaintext.

Impact

An unauthenticated attacker with access to the configuration backup file may be able to retrieve the administrative password to the device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Network administrators choosing to use configuration backup files should ensure that they are not accessible to unauthorized users.

Vendor Information

396212
 
Expand all

Netgear, Inc. Affected

Notified:  July 25, 2014 Updated: September 02, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 2.9 AV:A/AC:M/Au:N/C:P/I:N/A:N
Temporal 2.8 E:F/RL:U/RC:C
Environmental 2.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-4864
Date Public: 2014-09-08
Date First Published: 2014-09-08
Date Last Updated: 2014-09-08 19:17 UTC
Document Revision: 14

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis