Authentication is Optional for some Netgear Smart Switches (Demon's Cries)

We discussed this vulnerability during Episode 82 on 14 September 2021

What if authentication was optional? That seems to be the case here where the Netgear Switch Discovery Protocol, a UDP based protocol where each datagram is a header following by a Type Length Value (TLV) chain. The expectation is that all of the “get” commands can be used without authentication but that “set” commands should send the password authentication entry (Type 10) as the first part of the TLV chain. The /sqfs/bin/sccd daemon that implements the protocol does not enforce this however. So an attacker can send the “set” TLV for changing the password (type 9) to set the password without first authenticating.