NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Laserbait's avatar
Laserbait
Luminary
Jul 02, 2024

CVE-2024-6387 - regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

CVE-2024-6387 - https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server So looking at that blog about t...
StephenB's avatar
StephenB
Guru - Experienced User
Jul 03, 2024

Actually the key text is

  • The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

So it mostly affects new openSSH releases (after March 2021, which is when 8.5 was released).

 

  1. All OS-6 systems use OpenSSH 6.x versions - so they are not vulnerable to this particular CVE
  2. Systems running 5.x firmware use OpenSSH 5.x versions - so they are not vulnerable either.
  3. Systems running 4.x firmware use OpenSSH 4.3 - so they are potentially vulnerable.  Likely Netgear applied the two CVE patches needed to close this vulnerability (since they date back to 2008), but that is not something I can confirm. 

FWIW, IMO no one should be allowing over-the-internet connections to any ReadyNAS system (other than through a VPN).

 

 

 

 

 

 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More