Overview
The Netgear ProSafe Plus Configuration Utility exposes password information via the configuration backup file.
Description
CWE-200 - Information Exposure The Netgear ProSafe Plus Configuration Utility provides a feature to back up switch configuration. In the backup file, the device password is clearly visible in plaintext. |
Impact
An unauthenticated attacker with access to the configuration backup file may be able to retrieve the administrative password to the device. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Network administrators choosing to use configuration backup files should ensure that they are not accessible to unauthorized users. |
Vendor Information
396212
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 2.9 | AV:A/AC:M/Au:N/C:P/I:N/A:N |
| Temporal | 2.8 | E:F/RL:U/RC:C |
| Environmental | 2.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2014-4864 |
| Date Public: | 2014-09-08 |
| Date First Published: | 2014-09-08 |
| Date Last Updated: | 2014-09-08 19:17 UTC |
| Document Revision: | 14 |