× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Vote
Hide Results
Top Contributors
See All

Option to disable UPnP for GC110/GC110P/GC510P/GC510PP when local management only is enabled

Status: New Idea Submitted by Tutor on ‎2020-05-05 02:50 PM
1 Comment (1 New)

Currently (firmware version 1.0.5.27) GC110/GC110P/GC510P/GC510PP does not allow to turn off UPnP even when local management only ("Direct Connect Web-browser Interface (Local LAN Only)") is enabled.

 

This poses a security risk because this switch could be deployed to environment that is open to public and allow whatever user on the network to peek network infra details, including device name, IP address, manufacturer, model, and MAC address. This allows malicious user to find an attack vector.

 

Netgear Support team mentioned that UPnP cannot be disabled because it has to be visible to Netgear Insight App to discover the switch. However documentation says: "Direct Connect Web-browser Interface (Local LAN Only)- In this mode, the device can be managed only while on the local LAN, using a PC to access the web-browser management interface. ... Management using the NETGEAR Insight App is disabled." Apparantly when user choose local management specifically, there's no point for UPnP to be alive and discoverable by Insight App.

 

Please fix this security risk soon.

See more ideas labeled with:
1 Comment
schumaku
Guru Guru
Guru
‎2020-06-10 10:22 AM
‎2020-06-10 10:22 AM

Finding the MAC, IP, and fingerprinting these devices would be rather easy, even without the UPnP and/or Bonjour - even the device model is nicely shown on the Web admin login page and the page name. 8-) 

 

Isolate the management using a dedicated VLAN if exposing the switch to the wild or non-trusted users and devices.