NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

sveinse's avatar
sveinse
Aspirant
Apr 19, 2025
Solved

SSDP multicast leakage across VLAN on GS308EP

Setup

  • Switch is in Advanced 802.1Q VLAN mode
  • Port 1-6 connected to VLAN 1. Port 1-6 untagged, port 7-8 exclude.
  • Port 7-8 connected to VLAN 2. Port 1-6 exclude, port 7-8 is untagged.
  • Port 1-6 PVID 1 and port 7-8 PVID 2

This is basically setting up two independent networks with untagged ports.

 

When connecting to port 7 (which is connected to VLAN 2), I'm seeing multicast SSDP messages containing IP addresses from VLAN 1.

 

E.g.  192.168.0.42 (from VLAN1) > 239.255.255.240 port 1900. Messages typically contain "ssdp:discover" 

 

This behavior is effectively leaking IP-addresses and messages from VLAN 1 into VLAN 2.

 

I've tested turning "IGMP snooping" on and off. I've turned on and off the UPnP "switch discovery" setting. I've tested turning "Broadcast filtering" on and off. Nothing changes the behavior.

 

Are there any setting that permits me to disable the forward of these SSDP multicasts? Have anyone else observed this behavior?

 

Firmware: v1.0.1.4

6 Replies

  • sveinse's avatar
    sveinse
    Aspirant
    Apr 23, 2025

    I've tested more and I'm now getting confident this is a bug in the switch! 

     

    It sends IP multicast messages between independent VLAN1 to VLAN2. This is an unexpected error. Arbitrary formatted messages with destination address to any IP address of "<224-239>.<1-255>.255.250" to port 1900 are broadcast across the VLANs. The communication works both ways. This can be used to create backdoor communication between any of the 4080 open IPs between the VLANs.

     

    The 239.255.255.250:1900 is used for SSDP which is UPnP protocol for advertising availability of equipment. The described behavior is effectively:

     

    • Sending IP addresses between VLANs
    • Sending presence and status of UPnP equipment
    • Can be used as a unsolicited data channel between the VLANs

    How to repro the error:

    1. Configure two independent VLAN 1 and VLAN 2 that share no common ports
    2. Insert computer1 (generator) into a VLAN 1 port
    3. Insert computer2 (observer) into a VLAN 2 port
    4. Computer 1: Send UDP datagram with payload "foobar" to IP 224.255.255.240 UDP port 1900
    5. Computer 2: Observe with wireshark the reception of the UDP "foobar" message from IP of computer 1 and destination to selected multicast IP

     

    I've tested a lot of different settings, IGMP on/off, UPnP on/off to no avail. I've tested firmware reset of the device without any resolution.

     

    Where should error reports like this be reported?

     

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User
      Apr 24, 2025

      Something to make contact with NG support about. 

      • sveinse's avatar
        sveinse
        Aspirant
        Apr 24, 2025

        Exactly how do I reach out to Netgear support? It seems they only accept vulnerabilities through Bugcrowd for select products and not this product.

  • brian20930's avatar
    brian20930
    Aspirant
    Jul 23, 2025

    Did this actually solve your problem?  I noticed the problem today, found your post, found that my GS316EP had a firmware update that mentioned the same fix (though the version is 2.0.0.3).  But after installing the firmware the problem remains exactly as it was.  Thanks!  This is very frustrating!

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More