NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
[Security] Serious OpenSSL bug (impacting ReadyNAS, as well)
http://heartbleed.com/ : "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library."
"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
That sounds very serious - so, will Netgear react and provide security patches for all affected ReadyNAS products?
----
Well, ReadyNAS Duo v1 users (like me) can be relieved since RAIDiator 4.1.13 is using the old OpenSSL 0.9.8g version which is not affected
"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
That sounds very serious - so, will Netgear react and provide security patches for all affected ReadyNAS products?
----
Well, ReadyNAS Duo v1 users (like me) can be relieved since RAIDiator 4.1.13 is using the old OpenSSL 0.9.8g version which is not affected
25 Replies
Replies have been turned off for this discussion
- We clearly should be vulnerable with the old version we are running, but when I enter my system at: http://filippo.io/Heartbleed/. It comes back and says it is safe. You probably need https enabled. Could a couple others try it? Just enter <your public ip or hostname>:443.
steve - BTW I entered a Netgear support case for this [Case # 23040436].
steve - Guys: See https://www.readynas.com/forum/viewtopic.php?f=65&t=75947. ReadyNAS devices running OS4 are not vulnerable to this bug, as they use OpenSSL 0.9.8. Devices running OS6 use OpenSSL 1.0.1, so they are vulnerable.
- Thanks!
- Some of NETGEAR's own services appear to be affected.
http://filippo.io/Heartbleed/#photos.readynas.com
http://filippo.io/Heartbleed/#rndemo.netgear.com - What about devices on the SPARK and x86 architectures???
What about ReadyNAS Replicate in P2P mode or Egnyte ... rsync with an ssh tunnel ... etc, etc ...
The answers to these questions need to go straight to the top of the announcements section and be highlighted for all to see. Tricky_Dicky wrote: What about devices on the SPARK and x86 architectures???
What about ReadyNAS Replicate in P2P mode or Egnyte ... rsync with an ssh tunnel ... etc, etc ...
You can test them yourself: http://filippo.io/Heartbleed/.- I'm not too tech savvy when it comes to programming and such but I have a NVX and NV+ which I only use to back files up and for storage. Should I be concerned?
I checked my services and https is enabled but I cannot disable it as it's greyed out.
Any other tips/info would be great :)
tia - I think I read somewhere that those units use old enough versions not to be affected. But if https on your NAS is exposed to the web you could easily check using the test website.
- Do I just input the IP address of my NAS, because I tried doing that (192.168.x.xy) and the site returned, "Nice try, that's not a routable IP!" lol
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
