NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

R7_0_0_0_User's avatar
R7_0_0_0_User
Tutor
Jan 23, 2017
Solved

Latest Security Vulnerability KB Article links to old R7000 Firmware

Hi,    The KB Article for the latest security vulnerability links to the firmware version 1.0.5.70 firmware for R7000: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-V...
Firmware
  • ElaineM's avatar
    ElaineM
    Jan 25, 2017

    The link in the article has been updated to the latest firmware available for R7000. 

     

    Thank you guys for bringing this to our attention. 

R7_0_0_0_User's avatar
R7_0_0_0_User
Tutor
Jan 24, 2017

Hi StephenB

 

Thanks for the infos. I found the link here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521 this is why I called it the "latest security issue". Are you saying that 

CVE-2017-5521 is not a current or new security issue? German Tech-Press (heise.de) posted last week that netgear devices have a new "big" hole and also pointed to these links. 

 

 

StephenB's avatar
StephenB
Guru - Experienced User
Jan 25, 2017
R7_0_0_0_User wrote:

Hi StephenB

 

Thanks for the infos. I found the link here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521 this is why I called it the "latest security issue". Are you saying that 

CVE-2017-5521 is not a current or new security issue? German Tech-Press (heise.de) posted last week that netgear devices have a new "big" hole and also pointed to these links. 

 

 

 

I agree that the CVE is current, and points to that KB article ( https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521 ).  And the CVE says the issue was vendor-reported.  

 

I don't work for Netgear, so I don't have any inside info here.  What I do know is that particular security issue was posted in May 2016.  

 

So this is quite confusing.  Hopefully Netgear can clarify it.

 

  • thelemonkid's avatar
    thelemonkid
    Luminary
    Jan 25, 2017

    But that link points to old firmware....? Or....?

     

    I am now using  R7000-V1.0.7.6_1.1.99.chk

     

    It was suppossed to take care of a recent vulnerability. But is this another older one we talk about?

     

    I read: Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions:

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      Jan 25, 2017
      thelemonkid wrote:

      But that link points to old firmware....? Or....?

       

      I am now using  R7000-V1.0.7.6_1.1.99.chk

       

      It was suppossed to take care of a recent vulnerability. But is this another older one we talk about?

       

      I believe it is older, and likely not an issue with R7000-V1.0.7.6_1.1.99.chk.  But I think Netgear needs to comment.  

      • ElaineM's avatar
        ElaineM
        NETGEAR Employee Retired
        Jan 25, 2017

        I have forwarded this to our engineering team and waiting for their response.

        Will provide an update as soon as I have one.