NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
MS510TXPP - critical vulnerability on latest 6.7.0.52 firmware
The Netgear MS510TXPP switch is vulnerable to CVE-2019-16645 on the latest 6.7.0.52 firmware. There has not been a new firmware released for this device since 2022 despite a long list of outstanding issues.
The exploit is a GoAhead Web server HTTP Header Injection, is rated high, and has not been patched in years.
See here for details:
https://www.cve.org/CVERecord?id=CVE-2019-16645
https://kb.netgear.com/000064831/MS510TX-MS510TXPP-Firmware-Version-6-7-0-52
7 Replies
Thanks BrianL . I submitted a BugCrowd report and it got rejected for formatting, which is frankly not acceptable. I very clearly gave links to PoCs, gave the relevant CVE and the product and firmware affected. The fact that they did not care enough to use this information to address the vulnerability is shocking.
I also opened a ticket, managed to get it escalated to a Level 3 engineer after quite a few emails with someone in Level 1, provided the information asked for, and then nothing. No response for weeks. Not even an acknowledgement.
I have zero confidence in this being addressed and it is very clear to me that Netgear does not value the security of its products. This will absolutely be my last. This is supposedly a business grade switch which is still being sold and 'supported', yet its latest firmware was released in 2022 which carried a published CVE vulnerability from 2019! NOT OK.
Squuiid wrote:
The Netgear MS510TXPP switch is vulnerable to CVE-2019-16645 on the latest 6.7.0.52 firmware.
According to what exactly - have run some magic Vulnerability scanner or the like? Please provide more details of what you suspect to be a vulnerability.
Squuiid wrote:
There has not been a new firmware released for this device since 2022 despite a long list of outstanding issues.
Talking of the known issues in the Release Notes?
Squuiid wrote:
The exploit is a GoAhead Web server HTTP Header Injection, is rated high, and has not been patched in years.
Is this a generic report, applicable to the GoAhead Web Server, very often used on embedded systems (and updated to some v6.x.x version last year)?
Or are you referring to what Netgear has implemented as part of the recent updates, on your device with the current firmware, and you claiming some vulnerability does still exist?
Based on what you supplied on insight here, it's very difficult to guess what exactly you try to report.
Please understand I'm not representing Netgear here, but I'm keen to hear about more insight - and carry forward to my personal connections to Netgear reps.
Regards,
-Kurt.
- I bought this NETGEAR switch in June of 2024, and is still being sold, to this day, on both Amazon’s site, as well as NETGEAR’s very own site.I discovered a critical CVE using OpenVAS and raised a NETGEAR BugCrowd report (which got rejected twice despite a ton of info being provided and I gave up) as well as opening a ticket with NETGEAR support. I had more success with the support ticket and eventually got it raised to level 3. It was escalated to their engineers and they came back with the following, refusing to address the critical CVE:"Hi,This is xxxxx again giving you updates from the case. Our Engineers responded to your case and unfortunately we will not release any firmware that fixes the issue anymore since the unit has already ended its manufacturing way back Feb 2023 and our contract with the chipset maker which is Marvell has already expired with us.Regards,xxxx xxxxNetgear Level 3”And then this, and they closed my ticket without allowing me to respond!"Case Number - 48865175
Summary - MS510TXPP switch is vulnerable to CVE-2019-16645
Product - 8-Port PoE+ Multi-Gigabit Smart Switch with 10G Copper/Fiber Uplinks(MS510TXPP)
Update from NETGEAR
Hi,Thank you for your email. I understand what you mean on this and I strongly empathize on the situation. The unit been sold in Amazon is more likely a refurbished or second hand units since Netgear already stopped manufacturing this device way back 2023. The contract from Marvell, chipset vendor has already expired starting 2025 and we no longer have any software engineers that can modify or update the firmware itself.
Regards,
xxxx xxxx
Netgear Level 3As mentioned, I bought the switch NEW and it is still being sold, as NEW, on NETGEAR's very own store! They closed my ticket so I couldn't respond!I did some further digging only to discover that the switch I bought, and that NETGEAR are still selling on their very own site as well as on Amazon, is EOL! Not only that, it was EOL when I bought it from Amazon itself in June 2024.T.L.D.R. NETGEAR are selling NEW switches on their OWN site which are EOL and they no longer offer support for!For those interested in the vulnerability...I used Greenbone OpenVAS to test for it.
Here are further details of the vulnerability along with several POCs.
Squuiid wrote:
I discovered a critical CVE using OpenVAS ...Afraid, I tend to disagree.
- Nothing discovered, just one of many false positive reports by that specific vulenrability assesment system.
- No longer exposable since mid of 2021 -> Pre Authentication Command Injection Vulnerability on Some Smart Switches PSV-2021-0071
EOL (a very specific and misleading Netgear nomencalture). It means that the model(s) listed are no longer manufactured and won't get any feature updates For some time, -real- security issues continue to be addressed, regardless of what the Netgear L3 support wrote you.
In no apsect, these switch model on the EOL list are revoked, removed from the markets, or are anywhere near to the and of service life This would be a much more meaningful indication in the product life cycle management, I'll try talking to the recently appointed Channel Chief for Global Channels at Netgear (Thomas Schwab) these days on the substandard product life cycle information.
Correct is that the MS510TXPP and the MS510TX (two siblings with the very similar Marvell switch core) are stil availahble in many markets, on many shelves, with resellers and retailers.
Some of the listed known issues are related to the capabilities of the switch core, probably not fixable with reasonable effort (by Netgear, resp,the OEM - which is also the chip set maker).
Does this clarify things for you now?
-Kurt.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
