NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Netgear routers found to have critical vulnerabilities within the shipped software components.
I have been a Netgear tester of several router models for years now. The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several k...
Hi All,
The Security Advisory for VU 582384 has been updated.
Also, for more information and update see the thread below.
I have been a Netgear tester of several router models for years now.
The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.
This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.
I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.
After checking the most recent GPL code for the latest high-end Netgear X8 R8500 router model (costing $400/550€), much to my surprise, I still see the same issues, something not acceptable:
OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)
OpenSSL: https://www.openssl.org/news/vulnerabilities.html
Sources:
http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip
All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...
So my questions to Netgear are:
Where is the software development oversight?
Where is the quality control?
Where is the the customer care?
As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.
Discussion thread:
http://www.snbforums.com/threads/netgear-routers-found-to-have-critical-vulnerabilities-within-the-shipped-software-components.32552/
Best regards,
Hugo
Hello hggomes
Welcome to the community!We thank you for your concern. We do value your input and appreciate your loyalty as a long-time NETGEAR customer. Please be assured that NETGEAR does regularly monitor our products for security issues and we take the security of customers and their data very seriously. NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation. Hope this addresses your concerns.
Again, thank you and have a great day!
Hi ElaineM,
You mean this OpenSSL version: "OpenSSL 1.0.0g 18 Jan 2012" with still legions (~80) of vulnerabilities?
https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html
Unfortunatelly it doesn't address my concerns and probably neighter other Netgear owners, I'm sorry but I really don't consider this taking seriously the security of customers, all it's needed is a waste of 2 minutes to update to the latest known secure OpenSSL version.
Best regards,
Hugo
BTW, you also forgot to mention "Transmission" app compiled against ancient OpenSSL 0.9.7f 22 March 2005 version.
OpenSSL 0.9.7f 22 March 2005 (Transmission)
OpenSSL 0.9.8e 23 Feb 2007 (Time Machine)
OpenSSL 1.0.0g 18 Jan 2012 (OpenVPN, HTTP, etc)
If Netgear doesn't consider all this reportings a security issue...
Best regards,
Hugo