No sooner do I read this evening that Fedora and others a re quickly working to get OpenSSL 1.0.1e out to fix the latest TLS bug that I log into my 516 to see what version it's running. Oh my, 1.0.1e. When did that happen? Are there magic upgrade faeries on the NAS? :D

OpenSSL 1.0.1e is over a year old. It does not fix the latest TLS bug reported today (CVE-2014-0160, aka "Heartbleed"). All versions of OpenSSL 1.0.1 before 1.0.1g are vulnerable, as are the 1.0.2 betas up to and including 1.0.2-beta1.The 1.0.0 and 0.9.8 branches are NOT affected, although of course they have other vulnerabilities and non-security bugs that have been fixed in the later versions.ReadyNAS devices running OS4 are unaffected by the new bug; they're running 0.9.8o at best. I don't know what version of OpenSSL is running on the OS5 devices.

Yeah, I was reading more about the patch and realized it's 1.0.1g that has the fix. So ROS 6.1.6 is definitely vulnerable.

My RN102 is running OpenSSL 1.0.1e as part of OS6.1.6,Can we upgrade it by hand or do we have to wait for an update from Netgear?

I wouldn't wait for an update. With Netgear's average speed of updating, you'll be waiting for months.Download either the AMD64 or i386 package depending on the architecture of your NAS. To find out which one you need, log in to SSH on your device and type "uname -m". If that returns "x86" take the i386, if it returns "x86_64" use the AMD64 version.AMD64: http://security.debian.org/debian-secur ... _amd64.debi386: http://security.debian.org/debian-secur ... 5_i386.debWhile in SSH, enter the following commands:AMD64:wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u5_amd64.debdpkg -i openssl_1.0.1e-2+deb7u5_amd64.debservice apache2 restartservice ssh restarti386:wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u5_i386.debdpkg -i openssl_1.0.1e-2+deb7u5_i386.debservice apache2 restartservice ssh restartYou're good to go.

Don't those two options both re-install the current (insecure) version - 1.0.1e?I believe the fixed version is 1.0.1g, which I don't see anywhere.

ROS 6, OpenSSL, and package updates?

47 Replies

Replies have been turned off for this discussion

rajivvishwa
Aspirant
Apr 12, 2014
Even my NAS is not exposed to the internet so I'd to use a python script to check the status of vulnerability. There are tons of scripts that can help you check the status, and I used this one - https://gist.github.com/anantshri/10238615

But as alanwsg has suggested, 6.1.7 seem to fix the vulnerability. Check the screenshot, redacted some sensitive information
'universe' is hostname of my NAS if anyone is wondering.

Then I'm following the steps by arnomc - http://www.readynas.com/forum/viewtopic.php?f=65&t=75947&start=15#p423049 from STEP 3

I hope this is it.
arnomc
Aspirant
Apr 12, 2014
I also confirm that 6.1.7 updated both my openssl and libssl into 7u6. And the build date was also change for the 8 April 2014.
mdgm-ntgr
NETGEAR Employee Retired
Apr 12, 2014
Sounds like they must have quickly added this fix and hurried 6.1.7 out (they may have even held back 6.1.7 if it was otherwise ready for release earlier to include this fix) to address this serious security issue ASAP.
arnomc
Aspirant
Apr 12, 2014
this is exactly what I had in mind : it's nice to see netgear reacting fast to address this.
xeltros
Apprentice
Apr 12, 2014
Well, knowing the OS6 is also for pro hardware, they should have received many calls concerning this. Adding a packet already made isn't something hard when you build a firmware... That's always better to say once "it's been fixed in the last update" than to say 5 times per consumer "it will be fixed in the last update". That said, I would have liked Netgear to find a way to validate debian packages to get real time updates (or delayed by up to three days for quick testing). I don't have any way to do this without manual testing though (so one man dedicated for the task) so this may not be economically possible.

btaroli

Prodigy

Apr 17, 2014

Since this kept coming up as a question, I thought I'd share the content of an email I received from Netgear this evening.

Basically 4.x and 5.x users have nothing at all to worry about.

NETGEAR has taken steps to prevent compromise of ReadyNAS devices by the Heartbleed bug with the release of new firmware. Please upgrade your ReadyNAS to the latest firmware (6.1.7 or higher), which is available from your ReadyNAS management interface or can be downloaded from the NETGEAR support site (http://kb.netgear.com/app/answers/detail/a_id/20684). Earlier ReadyNAS models (pre-OS 6) use a version of OpenSSL that is not affected by Heartbleed.

We recommend the 6.1.7 Firmware Upgrade for the following models:

RN102/RN104 Series
RN312/RN314/RN316 Series
RN516 Series
RN716 Series
RN2120
RN3220
RN4220

Thank you,

The NETGEAR Team

arnomc
Aspirant
Jun 12, 2014
The 5th June there was some newly published criticals vulnerability (http://www.openssl.org/news/secadv_20140605.txt), so I updated my procedure in order to update openssl to "1.0.1e-2+deb7u10_amd64.deb" :
viewtopic.php?f=65&t=75947&p=423049#p423049
"openssl1.0.1e-2+deb7u10" is the newest version (available at that time) there : http://security.debian.org/debian-secur ... o/openssl/
I don't believe it's correcting the last CVE-2014-0224. We'll have to wait.

EDIT: https://security-tracker.debian.org/tra ... -2014-0224
fixed openssl in 1.0.1e-2+deb7u11.

Forum Discussion

ROS 6, OpenSSL, and package updates?

47 Replies

Related Content

R8500 Unable to update the OpenVPN Configuration Package

FIRMWARE UPDATE: Orbi 870 Series v10.5.20.4

M4250 driver update issue

Package loss with RAX200

Orbi RBR750 satelite update without ethernet

NETGEAR Academy

ProSupport for Business