NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
glibc vulnerability CVE-2015-7547
Is the R7000 vulnerable to the "new" glibc vulnerability indexed as CVE-2015-7547?
For reference: http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
I could not find a place on the site dedicated to disseminating this type of information. If NetGear does not have that, it's a real shame, because customers should be able to come here and quickly find out if they are vulnerable to any particular vulnerability, what products are affected, and what they can do to neutralize or mitigate the risk.
Note for NetGear: This form asked for the model number in a separate field, but kept clearing the field if I tabbed out of the field (and, of course, using the Tab key to move between fields has been SOP since way, way back). Anyway, I did happen to discover that just clicking in another field would prevent that, thereby allowing me to enter the serial number. However, when posting it does not seem to store the number and so the section of the post where it reports the model number is blank. You need to work on this form, because it's obviously really screwed up.
Update:
As of this writing, our engineers confirmed that the following products are not vulnerable.
- DSL Gateways
- Cable Gateways
- Extenders
- Powerline
- Routers
- Security firewalls and VPN software
- Switches
- 11ac Access Points
We will provide another update as we complete the review of other products.
16 Replies
Replies have been turned off for this discussion
I think it would be well for NETGEAR to gain some user confidence, by informing its' users of the wide variety of its products, that are using Linux with Gnu C Library, which of those are vulnerable and what they propose to do to mitigate it, as well as the projected timescales. My own routermodem I know to be running a 2.6.x Linux version.
My Ubuntu based Linux system here was automatically updated yesterday & is now not vulnerable. The patch to fix the vulnerability is relatively small but all companies like Netgear have policies in place for software QA and will not release a fixed version until all regression testing etc has been satisfactorily passed and the updated "signed off". This is perfectly understandable good practice in the compensation culture we all live in, but the delay it introduces, allows the bad guys time to make use of the exploit loophole until it is closed off in a majority of Linux-based systems.
I am also unable to insert the model number in the Model box - FYI it is DGND3700v2
Les
I am waiting for a confirmation from our engineers if any of our routers are affected by the said vulnerability ID.
Will post an update soon.
Hello I was wondering if the Nighthawk R7000 router is affected by the glibc vulnerability.
This isn't a difficult question.
The routers are either vulnerable or they aren't. If they aren't, great. If they are, when will they be patched?
I agree it is a simple question. The last security hole in their routers that were across numerous models was the Kcode NetUSB module vulnerability. That took Netgear more than 6 months to get patched firmware out for most affected models. Many models they did not patch as they were EOL. Even though, when the vulnerability was known of in April 2015 and some models were still being sold on store shelves (ie- WNDR4300v1, WNDR3700v4), they still did not patch those models.
Long story short-- even ifsomeone from Netgear acknowledges what products are vulnerable, you most likley can not expenct patched firwmare for more than 4 to 8 months down the road.
That's not good. I picked up two R6900s last week (1 USB v 2 USB on the R7000) and I may return them to Costco based on this information. Taking months to close a hole, if it's closed at all, isn't acceptable.
Yeah my company recently purchased 2 nighthawk r7000 routers and we're thinking of doing the same thing.
NETGEAR is aware of the industry-wide potential security issue due to the use of GNU C Library (glibc) that was revealed on Feb. 16, 2016.
Because NETGEAR is committed to customer security, we are reviewing every product to determine if the code is present. If the audit reveals any concerns, we will provide recommendations to secure your products and protect private data.
