Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More

By: John Scanlan, Published on Aug 26, 2019

Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered by prolific researcher bashis.

Most importantly, it shows supply chain risks with so many sharing the same fundamental software/hardware.

Inside, we report details on:

  • Vulnerability overview
  • Realtek response
  • Which manufacturers are affected
  • Why so many companies are vulnerable
  • Impact on the security industry
  • Supply chain risks

Those interested in cybersecurity within our industry should see our Cybersecurity Vulnerability Directory.

*****, ******* *** **** than * ***** ***** brands, ********* ***** ***** ones, **** **** ***** to ***** *** **** critical *************, ********** ** prolific ****************.

**** ***********, ** ***** supply ***** ***** **** so **** ******* *** same *********** ********/********.

******, ** ****** ******* on:

  • ************* ********
  • ******* ********
  • ***** ************* *** ********
  • *** ** **** ********* are **********
  • ****** ** *** ******** industry
  • ****** ***** *****

***** ********** ** ************* within *** ******** ****** see **************** ************* *********.

[***************]

Executive *******

Realtek Switch Controller

******* ************* *** *** the **** ******* ********* - ***************** ****** ********** *******. This ******** **** ******** that **** ****** *** which **** ** *** various ****** **** **** to ****** **** *************.

*********************

***** ****** **** *** included ******* *** ****** of ***** ********.

***** *** ******* *************** in *** *** ********* stack ********* ***** *********** remote **** *********, *** in *** ***** ** concept, ****** ** **** to *** *** ****** admin ***** ****** ** credentials.

No *** **** *******

**** **** ***********, ** 5 ******, ******* ******* no ******** *** *** for ****, ********* ******'* ******:

*************, ** ** ***, since *** ******* ******** in ***** ****, ** weren’t **** ** ******* any ********* ******** **** Realtek ********* ***** ******.

Manufacturers ********

******** ** ************ *** ********* ****** manufacturers:

Switch Manufacturers Affected by Vulnerable SDK

**** * ******** ** each ************'* ******** *** impacted ***** ** ** based ** *** *** of *** ******** ******* chip. *** *******, *********, **** *** *** series, **** ***** ***** business ****, ** **********. By ********, *** ***** 300 ****** ******** **** is *** *** *** Cisco's ********** ********.

*** ************* ** *** limited ** *** ****** manufacturers *****. ****** **** us **** *** ************* has **** ****** ** 18 ******* *** ***** are ***** ******* ** unconfirmed, ** **** ** likely **** **** ***** are **** ***** *** SDK, *** *** *** discovered.

Surveillance ******** ********

*********** ******* ************ ***** *** ** the ******** *********, ***** and *******, *** *** choices *** ***** ************ network ********.

Updated ****** ********

********* **** ******** ********* should ****** ********, ** it ** *********. *****, Netgear, *** ***** ************* have ******* ******** ****** the *************. ***** *** links ** *** ******* firmware *** *** *** largest *************:

***** *** **** ********:*****-**,*****-***,*****-**,*****-***,*****-**,*****-***,*****-**,*****-****,*****-**,*****-***,**-***-**

******* ****** ********:****** ******* **** ******,*********,**********,*********,********,*********,**********,*********,********

Supply ***** *****

**** **** ****** *** published ***** **** ** least * ***** ************* without ******* ********, ********* to ****.

*** **** ** *** vulnerability ******* * *********** risk, *** **** **** it *** ** ****** distributed *** ** **** to *** *** ******* brands ** *** **, underscores *** ********** *** dangers ** ********* ******** devices ** *** ***** code ******* ** **** hardware **********.

Comments (12)

Undisclosed #1

08/26/19 03:44pm

** ***** * *** ranking *** ****?

* ****** ** ***** require *** ****** ** exploit *** ** *** vulnerabilities, ************ ***** ******** are ******* *** ***** for ****** ********** ************.

bashis mcw

In reply to Undisclosed #1 | 08/26/19 07:32pm

************* * *** ***** more **** *** ********** devices ** *** ******** as ** *****...

***** ******* *.* ** the **** ********

***** ***** ******** *** Series ***** ******** ****** Code ********* ***************

*.* *** *** ******

***** ***** ******** *** Series ***** ******** ************** Bypass *************

*** *.* *** *** third

***** ***** ******** *** Series ***** ******** ******* Injection *************

Avatar

Jonathan de Chateau

In reply to bashis mcw | 08/27/19 08:54am

**** ***** ******* ** proven *************** ** ***** fit ** *** ***** items **** ********** ********, oh **** **'* *** chinese.

Undisclosed #1

In reply to Jonathan de Chateau | 08/27/19 09:32am

** **** **'* *** chinese

*** **** ** **** the ******* **** **********. The *************** *** ****** back ** * ******* chip *** ***. ******* is * ******* *******.

Avatar

Jonathan de Chateau

In reply to Undisclosed #1 | 08/27/19 11:26am

* **** *** ******* involvement. ** ***** *** that ****** ** ***** to ** ***** *** for, ***** ***** *******, a ******** ******** ******.

**'* ****** ** ** that * ***** ****** like ***** *** ** many ****** *************** *** is *** * ******** security ******.

John Honovich

IPVM | In reply to Undisclosed #1 | 08/27/19 11:26am

******* ** * ******* company

******* ** **** ******, *** ***, *** China, *** ***.

Avatar

Jonathan de Chateau

In reply to John Honovich | 08/27/19 11:40am

* ***** *********. *** are *****, **'* *** PRC.

*****, **** **** **** vulnerabilities ** ******** **** serious ******** ***'* *** think?It's * ******* **** and ******** *****, **** in ****.

** **** ** ***** a ** ******* **** it ****?

Undisclosed #1

In reply to John Honovich | 08/27/19 11:46am

******* ** ************* ** Taiwan, *** ***** ******* chips *** ******* ******** all **** ** ********* from * ***** ********.

Jonathan Strauss

In reply to Jonathan de Chateau | 08/27/19 02:48pm

**** ** ***** *************** look **** **** *** coming *** *** *** UI ***** ****** ** disabled ** ***** ****.

Undisclosed #3

In reply to Undisclosed #1 | 08/26/19 08:59pm

* ****** ** ***** require *** ****** ** exploit *** ** *** vulnerabilities, ************ ***** ******** are ******* *** ***** for ****** ********** ************.

**** ***** **** **** my ***** ****, ***...

**** ************* ******* ***** Small ******** *** ****** Smart ******** ******* ******** versions ***** ** *.*.*.* with *** *** ********** interface *******.The *** ********** ********* ** ******* *** **** **** *** ***** ** *******.

Undisclosed Manufacturer #2

08/26/19 04:35pm

*** ********:

*. *********** **** *** second ******* ******** ** Other. ** ***** * few ****** **** **** up **** ******?

*. *** ****** ******* Kevin *******:*****://***.********.***/**/*********/.**'* **** ******* *** over * ****** **** all *** ******** (** Cisco **** ** *******) have **** ****** **** with **** **** ** malware. ***** *** *** of *** ******** ******** of ********.

Undisclosed #4

08/27/19 03:49pm

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Control Course Fall 2019 - Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Directory of 70 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
Top Ways Security Integrators Improve Their Careers on Sep 03, 2019
With DIY products expanding and the future of integration debated, how do integrators stay sharp so they are not left behind? 180+ integrators...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
"Stats Don't Lie" Says Deceptive IFSEC on Jul 30, 2019
While IFSEC has declared #statsdontlie and trumpeted seemingly skyrocketing visitor numbers, they are decieving about their show's problems. On...
Hikvision: In China, We Obey PRC Human Rights Law on May 28, 2019
Hikvision defended its activities in Xinjiang, where the PRC is accused of mass human rights abuses, by stating that human rights have a “varied...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...

Most Recent Industry Reports

US DoD Comments on Huawei, Hikvision, Dahua Cyber Security Concerns on Oct 16, 2019
A senior DoD official said the US is "concerned" with the cybersecurity of Hikvision, Dahua, and Huawei due to "CCP" (China Communist Party)...
Pelco Sarix Pro3 Camera Tested on Oct 16, 2019
Pelco has released their Sarix Professional Series 3 cameras, claiming "more security detail in challenging scenes with excellent low light and...
IPVM Camera Calculator User Manual / Guide on Oct 16, 2019
Learn how to use the IPVM Camera Calculator. The guide below includes instructions, images, gifs, and videos demonstrating and explaining the...
Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...
Pelco CEO Out, Seeking New Industry CEO, New CEO Found on Oct 15, 2019
Just 2 months after Pelco was sold, Pelco's CEO is out, with Pelco bringing in an outside President and searching for a new CEO from the industry,...
Hikvision Dissolves North American Business Unit, Splits Canada and USA on Oct 15, 2019
Hikvision has dissolved its North American Business Unit, splitting up US and Canada operations as the PRC-government owned manufacturer faces...
Camera Focusing Tutorial on Oct 14, 2019
Camera focus is fundamental to quality imaging. Mistakes can significantly reduce details, making cameras less effective. In this guide, we...
"UL Has Blood On Their Hands" Alleges The Interceptor / Keith Jentoft on Oct 14, 2019
"UL has blood on their hands" alleges Keith Jentoft of "The Interceptor Project". We examined The Interceptor in-depth last year, see: The...
Access Control Course Fall 2019 - Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?