× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Top Contributors

Prosafe M4100-26G TLS 1.2 Not Available and Weak Cipher Suites

Our vulnerability scanning shows that our switch's management over HTTPS only has TLS 1.0.  In today's world, everything should be at TLS 1.2, so it is causing our vulnerability scanning to report it as a high vulnerability.  We have the latest firmware (10.0.2.20), and have recently re-issued the certificates, so I'm not sure what to do.

We have the ability to create self-signed certs externally to the switch, but it doesn't seem to allow us to use them.  I can only see how to let the switch generate its own certificates.

It is also reporting that it is using weak cipher suites.  How can I ge these upgraded?

7 Comments
DaneA
NETGEAR Employee Retired

Hi azinnc,

 

Welcome to the community! 🙂 

 

I moved your post here in the Idea Exchange for Business board so that the development team can see this as a feature request on what does users wanted to be added to the functionality of the M4100-26G switch with regards to security.  I gave kudos to his post.

 

Be reminded that the more kudos given by community members to this feature request will help as the development team will be reviewing the post that has the most kudos and might be considered.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

atian
Aspirant

Could you provide the vulnerability details in this regard? And what are the weak cipher suites the scanner is reporting.

azinnc
Follower

Here is the information from the scan results:

 

The following weak client-to-server encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se


The following weak server-to-client encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

 

The CERT vulnerability information can be found at:
https://www.kb.cert.org/vuls/id/958563

atian
Aspirant

Which scanner did you use?

azinnc
Follower

OpenVAS

bknfhds8f
Follower

Dear Netgear, it is absolutely unbelieveable that 9 months on this vulnerability is still present in all of the products we tested. Any and all regulated operating environments require the deprication of TLS1.0 especially when used in combination with the weak cyphers which can facilitate the Beast attack. Please patch this on all versions of your firmware ASAP.

 

Because our systems are set to not allow insecure ciphers and TLS1.0 we cannot even configure your devices via their web interfaces.

DaneA
NETGEAR Employee Retired

@bknfhds8f,

 

Welcome to the community! 🙂 

 

You may want to open a support ticket to NETGEAR Support here and let them know about your concern as well. 

 

 

Regards,

 

DaneA

NETGEAR Community Team