NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Latest Security Vulnerability KB Article links to old R7000 Firmware
Hi, The KB Article for the latest security vulnerability links to the firmware version 1.0.5.70 firmware for R7000: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-V...
The link in the article has been updated to the latest firmware available for R7000.
Thank you guys for bringing this to our attention.
R7_0_0_0_User wrote:
The KB Article for the latest security vulnerability links to the firmware version 1.0.5.70 firmware for R7000:
Isn't that version vulnerable to "Security Advisory VU 582384"? How come we should "downgrade" from 1.0.7.6 to 1.0.5.70 to fix this vulnerability?
Yes it is vulnerable to VU 582384, and you shouldn't downgrade to it.
If you look at http://www.netgear.com/about/security/?cid=wmt_netgear_organic , you'll see the article you linked in published May 9th 2016 - it is not the "latest security vulnerability". Unfortunately the KB articles don't include that date (only the date the page was last updated, which can be misleading).
Hi StephenB
Thanks for the infos. I found the link here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521 this is why I called it the "latest security issue". Are you saying that
CVE-2017-5521 is not a current or new security issue? German Tech-Press (heise.de) posted last week that netgear devices have a new "big" hole and also pointed to these links.
R7_0_0_0_User wrote:
Hi StephenB
Thanks for the infos. I found the link here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521 this is why I called it the "latest security issue". Are you saying that
CVE-2017-5521 is not a current or new security issue? German Tech-Press (heise.de) posted last week that netgear devices have a new "big" hole and also pointed to these links.
I agree that the CVE is current, and points to that KB article ( https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521 ). And the CVE says the issue was vendor-reported.
I don't work for Netgear, so I don't have any inside info here. What I do know is that particular security issue was posted in May 2016.
So this is quite confusing. Hopefully Netgear can clarify it.
But that link points to old firmware....? Or....?
I am now using R7000-V1.0.7.6_1.1.99.chk
It was suppossed to take care of a recent vulnerability. But is this another older one we talk about?
I read: Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions: