NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

hggomes's avatar
hggomes
Tutor
May 14, 2016
Solved

Netgear routers found to have critical vulnerabilities within the shipped software components.

I have been a Netgear tester of several router models for years now. The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several k...
Security
ElaineM's avatar
ElaineM
NETGEAR Employee Retired
May 23, 2016

Hello hggomes


Welcome to the community!

 

We thank you for your concern. We do value your input and appreciate your loyalty as a long-time NETGEAR customer. Please be assured that NETGEAR does regularly monitor our products for security issues and we take the security of customers and their data very seriously. NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation  (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation. Hope this addresses your concerns.

 

Again, thank you and have a great day!

hggomes's avatar
hggomes
Tutor
May 23, 2016

Hi ElaineM,

 

You mean this OpenSSL version: "OpenSSL 1.0.0g 18 Jan 2012" with still legions (~80) of vulnerabilities?

 

https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html

 

Unfortunatelly it doesn't address my concerns and probably neighter other Netgear owners, I'm sorry but I really don't consider this taking seriously the security of customers, all it's needed is a waste of 2 minutes to update to the latest known secure OpenSSL version.

 

 

Best regards,

Hugo

  • hggomes's avatar
    hggomes
    Tutor
    May 23, 2016

    BTW, you also forgot to mention "Transmission" app compiled against ancient OpenSSL 0.9.7f 22 March 2005 version.

     

    OpenSSL 0.9.7f 22 March 2005 (Transmission)

    OpenSSL 0.9.8e 23 Feb 2007 (Time Machine)

    OpenSSL 1.0.0g 18 Jan 2012 (OpenVPN, HTTP, etc)

     

    If Netgear doesn't consider all this reportings a security issue...

     

     

    Best regards,

    Hugo

    • ElaineM's avatar
      ElaineM
      NETGEAR Employee Retired
      Jun 15, 2016

      Per our engineering, we do not have an ETA as to when it will be updated. It requires extensive testing and they are working on it.

      • hggomes's avatar
        hggomes
        Tutor
        Jun 15, 2016

        It's a start, thank you for the update.

         

         

        Best regards,

        Hugo