NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

azinnc's avatar
azinnc
Follower
May 11, 2017

Prosafe M4100-26G TLS 1.2 Not Available and Weak Cipher Suites

Our vulnerability scanning shows that our switch's management over HTTPS only has TLS 1.0.  In today's world, everything should be at TLS 1.2, so it is causing our vulnerability scanning to report it as a high vulnerability.  We have the latest firmware (10.0.2.20), and have recently re-issued the certificates, so I'm not sure what to do.

We have the ability to create self-signed certs externally to the switch, but it doesn't seem to allow us to use them.  I can only see how to let the switch generate its own certificates.

It is also reporting that it is using weak cipher suites.  How can I ge these upgraded?

Firmware
Security
Troubleshooting

7 Comments

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired
    May 15, 2017

    Hi azinnc,

     

    Welcome to the community! :) 

     

    I moved your post here in the Idea Exchange for Business board so that the development team can see this as a feature request on what does users wanted to be added to the functionality of the M4100-26G switch with regards to security.  I gave kudos to his post.

     

    Be reminded that the more kudos given by community members to this feature request will help as the development team will be reviewing the post that has the most kudos and might be considered.  

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

  • atian's avatar
    atian
    Aspirant
    May 31, 2017

    Could you provide the vulnerability details in this regard? And what are the weak cipher suites the scanner is reporting.

  • azinnc's avatar
    azinnc
    Follower
    May 31, 2017

    Here is the information from the scan results:

     

    The following weak client-to-server encryption algorithms are supported by the remote service:

    3des-cbc
    aes128-cbc
    aes192-cbc
    aes256-cbc
    arcfour
    arcfour128
    arcfour256
    blowfish-cbc
    cast128-cbc
    rijndael-cbc@lysator.liu.se


    The following weak server-to-client encryption algorithms are supported by the remote service:

    3des-cbc
    aes128-cbc
    aes192-cbc
    aes256-cbc
    arcfour
    arcfour128
    arcfour256
    blowfish-cbc
    cast128-cbc
    rijndael-cbc@lysator.liu.se

     

    The CERT vulnerability information can be found at:
    https://www.kb.cert.org/vuls/id/958563

  • bknfhds8f's avatar
    bknfhds8f
    Follower
    Mar 28, 2018

    Dear Netgear, it is absolutely unbelieveable that 9 months on this vulnerability is still present in all of the products we tested. Any and all regulated operating environments require the deprication of TLS1.0 especially when used in combination with the weak cyphers which can facilitate the Beast attack. Please patch this on all versions of your firmware ASAP.

     

    Because our systems are set to not allow insecure ciphers and TLS1.0 we cannot even configure your devices via their web interfaces.

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired
    Apr 09, 2018

    bknfhds8f,

     

    Welcome to the community! :) 

     

    You may want to open a support ticket to NETGEAR Support here and let them know about your concern as well. 

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team