NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Netgear routers found to have critical vulnerabilities within the shipped software components.
I have been a Netgear tester of several router models for years now.
The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.
This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.
I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.
After checking the most recent GPL code for the latest Netgear X8 R8500 router model, much to my surprise, I still see the same issues, something not acceptable:
OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)
OpenSSL: https://www.openssl.org/news/vulnerabilities.html
Sources:
http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip
All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...
So my questions to Netgear are:
Where is the software development oversight?
Where is the quality control?
Where is the the customer care?
As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.
Best regards,
Hugo
Hi All,
The Security Advisory for VU 582384 has been updated.
Also, for more information and update see the thread below.
18 Replies
Replies have been turned off for this discussion
I have been a Netgear tester of several router models for years now.
The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.
This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.
I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.
After checking the most recent GPL code for the latest high-end Netgear X8 R8500 router model (costing $400/550€), much to my surprise, I still see the same issues, something not acceptable:
OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)
OpenSSL: https://www.openssl.org/news/vulnerabilities.html
Sources:
http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip
All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...
So my questions to Netgear are:
Where is the software development oversight?
Where is the quality control?
Where is the the customer care?
As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.
Discussion thread:
http://www.snbforums.com/threads/netgear-routers-found-to-have-critical-vulnerabilities-within-the-shipped-software-components.32552/
Best regards,
HugoHello hggomes
Welcome to the community!We thank you for your concern. We do value your input and appreciate your loyalty as a long-time NETGEAR customer. Please be assured that NETGEAR does regularly monitor our products for security issues and we take the security of customers and their data very seriously. NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation. Hope this addresses your concerns.
Again, thank you and have a great day!
Hi ElaineM,
You mean this OpenSSL version: "OpenSSL 1.0.0g 18 Jan 2012" with still legions (~80) of vulnerabilities?
https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html
Unfortunatelly it doesn't address my concerns and probably neighter other Netgear owners, I'm sorry but I really don't consider this taking seriously the security of customers, all it's needed is a waste of 2 minutes to update to the latest known secure OpenSSL version.
Best regards,
Hugo
- Gosh! I just talked to Netgear support over the phone and felt I went through what sounded like the computer scam call I get from India!
My Netgear cable modem wifi was not working. After talking for Xfinity (super helpful) for an hour to figure out what was wrong with my internet service, they told me it was a problem with my Netgear box and gave me Netgear support number.
When I talked to Netgear, very quickly I was told the hardware was fine but the software had been attacked by some laptop or mobile device to reset its own IP address. The Rep told me that Netgear would offer me a remote fix for $89/6 months (she called it "extended warranty package") so this would never happen again. I believe if Netgear's boxes were prone to such attacks, then it needs to fix this problem before it is sold and not charging extra to fix what seems to be to be a security flaw in Netgear's product: software or hardware. After all, Netgear can't sell just a piece of hardware without any software on it and call it a working product.
I decided not to buy this expensive service and just plug in my Airport Express to the Netgear cable modem. This solution works perfectly fine and my Apple product has none of these security issues and Apple stands behind their product: hardware or software!Thank you for sharing the info, unfortunatelly it doesn't surprise me at all, check my post date and you will really see how much Netgear "takes customers security very serious", one good example is the brand new Netgear model R9000 (X10) sold at $500 still using ancient OpenSSL 0.9.8p (2010) package version with 6 years old and with legions of security flaws in it, this simply proofs my previous post point, they don't care at all and they should know it, sending sand to clients eyes is always easier.
Once again i must say, not acceptable NETGEAR.
The result of these kind of reports will end up on bad reputation and products sales going down.
Ooh, you do have a bee in your bonnet don't you.
Re: Netgear Support Is expensive - NETGEAR Communities
I don't think there is a bee in his bonnet , more like a botnet , this is a Serious flaw and should be fixed as soon as possible .
