Re: Vulnerabilities on Ready NAS 204

ndpm · ‎2017-08-01

We did a scan to our network and found severals vulnerabilities in our NAS 204.

I look online but was not able to find anything.

here is the list:

1: SSL Medium Strength Cipher Suites Supported

2: Apache 2.2.x < 2.2.33-dev / 2.4.x < 2.4.26 Multiple Vulnerabilities

3: Apache 2.2.x < 2.2.34 Multiple Vulnerabilities

4: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

5: SSL Certificate Cannot Be Trusted

6: SSL Certificate with Wrong Hostname

Can you help me to fix this.

Thank you.

StephenB · ‎2017-08-01

You can't fix (5) unless you arrange to install a cert from a CA. The NAS uses a self-signed cert.

What firmware are you running?

ndpm · ‎2017-08-01

6.7.5

StephenB · ‎2017-08-01

I'm running 6.8.0-RC1 on mine.

I checked with www.ssllabs.com

I got the expected self-signed cert issues

Alternative names

- INVALID

DNS CAA	No
Trusted	No NOT TRUSTED

It also got a downgrade on forward secrecy - details are

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits FS WEAK

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits FS WEAK

There was one encryption method with a 112 bit key that was also flagged.

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

These are easily fixed by Netgear - removing one cipher suite, and changing the minimum DH key size.

kohdee · ‎2017-08-09

Things that help NETGEAR better diagnose these issues are also knowing which software you used to generate this report, and a copy of the report.... What you've provided here is not really explicit to any specifically known vulnerabilitiy. CVE numbers help here.

On your apache2 problems, if your scanner only checks version, then you cannot trust that. We do lots of cherrypicking from newer versions and put fixes in seemingly older versions. So likely, these are not realistic. We also do this in kernel and other things.

You could eliminate 4 of those by using HTTP instead of HTTPS 😛

mdgm-ntgr · ‎2017-08-09

Some checkers just check version numbers. We can't update to apache 2.4 as it would break WebDAV.

We backport what we need for various packages and update to newer package versions where it makes sense to do so.

ndpm · ‎2017-08-10

Nobody from Netgear try to contact me to get the report.

The scans are done with Tenable IO.

StephenB · ‎2017-08-10

@ndpm wrote:

Nobody from Netgear try to contact me

Both @kohdee and @mdgm-ntgr work for Netgear.

You could perhaps PM Kohdee and send him a copy of the full report.

xiao123 · ‎2017-08-17

Moved:

Invalid comment, please ignore it.

xiao123 · ‎2017-08-17

Invalid comment, please ignore it.