NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
[Security] Serious OpenSSL bug (impacting ReadyNAS, as well)
http://heartbleed.com/ : "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library."
"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
That sounds very serious - so, will Netgear react and provide security patches for all affected ReadyNAS products?
----
Well, ReadyNAS Duo v1 users (like me) can be relieved since RAIDiator 4.1.13 is using the old OpenSSL 0.9.8g version which is not affected
"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
That sounds very serious - so, will Netgear react and provide security patches for all affected ReadyNAS products?
----
Well, ReadyNAS Duo v1 users (like me) can be relieved since RAIDiator 4.1.13 is using the old OpenSSL 0.9.8g version which is not affected
25 Replies
Replies have been turned off for this discussion
tcc wrote: Do I just input the IP address of my NAS, because I tried doing that (192.168.x.xy) and the site returned, "Nice try, that's not a routable IP!" lol
If you set up your home network yourself and didn't explicitly make your NAS devices accessible from the internet, they are not accessible from the internet and you do not need to be concerned about this bug.fastfwd wrote: tcc wrote: Do I just input the IP address of my NAS, because I tried doing that (192.168.x.xy) and the site returned, "Nice try, that's not a routable IP!" lol
If you set up your home network yourself and didn't explicitly make your NAS devices accessible from the internet, they are not accessible from the internet and you do not need to be concerned about this bug.
That's great news :D.
The only thing I did do is host my photography website on the NVX. It's only for viewing and contact info.- Wait. Is that website accessible from anywhere, or just from within your home network?
- Anywhere. It's so people can look at my portfolio and contact me for work.
At the moment it's down cuz I'm working on revamping the whole site.
It's
http://slp.homedns.org/ - Oh. In that case, your NAS is accessible from the internet. When you get your website back online, go to the test page at https://filippo.io/Heartbleed and ask it to check slp.homedns.org .
- My pro-6 and sparc systems (running 4.2.26 and 4.1.13) did not test as vulnerable on that web site. The OpenSSL is older than then version that has the vulnerability.
- Thanks fastfwd. Appreciate all your help :)
- The ReadyNAS with OS 6.x is vulnerable.
root@nas-xx-yy-zz:/usr/bin# ./openssl version
OpenSSL 1.0.1e 11 Feb 2013
All versions 1.0.1 through 1.0.1f incorporate the exploitable code. ARM and X86 versions are likely to be impacted. - Update your NAS running ReadyNAS OS 6 to ReadyNAS OS 6.1.7 which addresses the issue.
- heidnerd did you check your NAS via https://filippo.io/Heartbleed
It looks like they back ported a patch to 1.0.1e to fix the problem.
In fact if you look at the apt-get packages lists 6.1.7 uses openssl_1.0.1e-2.deb7u6_armel.deb whereas 6.1.6 uses openssl_1.0.1e-2.deb7u3_armel.deb
If you download the GPL and run a diff you should see changes between 6.1.6 and 6.1.7 for openssl
Consequently simply checking the openssl version the way you did is not the way to check if a system running OS6 is exposed.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
