ReadyNAS 516 - Failing Security Scan as End Of Life with Apache 2.2.34 , Need to Upgrade to 2.4.x

Question

When running a security scan on the ReadyNAS 516 it comes up with a security issue due to Apache 2.2.x reaching end of life. I have updated to the most current firmware but it looks like Apache is still out of date. What can be done to get Apache to&nbsp;2.4.x so that the system will pass a security audit?
&nbsp;
Current firmware: 6.9.3
&nbsp;
TCP: 443: Product&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Apache 2.2.x
&nbsp; Server response header : Apache/2.2.34 (Debian)
&nbsp; Supported versions&nbsp;&nbsp;&nbsp;&nbsp; : Apache HTTP Server 2.4.x
&nbsp; Additional information : http://archive.apache.org/dist/httpd/Announcement2.2.html
&nbsp;
TCP: 80: Product&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Apache 2.2.x
&nbsp; Server response header : Apache/2.2.34 (Debian)
&nbsp; Supported versions&nbsp;&nbsp;&nbsp;&nbsp; : Apache HTTP Server 2.4.x
&nbsp; Additional information : http://archive.apache.org/dist/httpd/Announcement2.2.html

mdgm-ntgr · Answer

We are evaluating upgrading to apache 2.4 but have no imminent plans for an update to this.

&nbsp;

If you try updating it yourself there’s a strong chance it will break the http/s service for the NAS. You could experiment using the VM.

Steve_Hulsberg · Answer

mdgm,
&nbsp;
This puts us into a predicament, we cannot have it fail a security audit but also cannot remove it at this time. What do you mean by experiment using the vm? If we were to upgrade and say it broke HTTP/s, would there be a way to revert the upgrade and not lose the data?&nbsp;

mdgm-ntgr · Answer

Upgrading from 2.2 to 2.4 would be a major undertaking. It's not just a matter of updating packages it's also updating the configuration and making sure that the appropriate configuration is set when changes are made in the GUI etc.
&nbsp;
We do backport patches from various packages as we need to from time to time.
&nbsp;
Also whilst most of the apache2 packages we use are the 2.2.x version, we do use a 2.4.x version of apache2-utils
&nbsp;
In any case we don't recommend making http/s on the NAS publicly accessible on the internet and you should only allow those you trust to access your LAN.
&nbsp;
You can run ReadyNAS OS 6 in a Virtual Machine. If you're going to experiment it's better to replicate your setup (apps etc.) and experiment with that rather than on a production system.

Steve_Hulsberg · Answer

mdgm,
&nbsp;
I understand it is a major undertaking but either way it is a security risk that should be mitigated to protect the customers. Internal or External it is still tagged as a "high" risk by scanners such as NESSUS, https://www.tenable.com/plugins/nessus/34460&nbsp;(take a look at the CVSS information), which needs to be taken care of. Systems&nbsp;can be&nbsp;compromised&nbsp;on a LAN as well, so this is something that needs to be fixed sooner than later as more attacks are happening on the LAN.&nbsp;Not having it updated by Netgear and not being able to safely update it as a customer puts the customer in a bad predicament. &nbsp;

StephenB · Answer

Many companies simply won't deploy products that fail security scans, so I agree that Netgear needs to ensure that their products pass those scans.
&nbsp;
&nbsp;Another path is to report the issue here:&nbsp;https://bugcrowd.com/netgearkudos
&nbsp;
&nbsp;

Forum Discussion

ReadyNAS 516 - Failing Security Scan as End Of Life with Apache 2.2.34 , Need to Upgrade to 2.4.x

6 Replies

Related Content

ReadyNas 3200 fails to load gui and smb

access HD directly if ReadyNAS hardware fails

cannot access admin page 'Secure Connection Failed'/'unsupported protocol

ReadyNAS NV+ failed downloading logs

Failing Readynas Ultra 6

NETGEAR Academy

ProSupport for Business