- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Seriously? Obviously you are not getting the message...
Any manufacturer is subject to have have vulnerabilities on they're products, no exceptions, but when you see a company like Netgear using critical software components with almost 12 years old (OpenSSL 0.9.7f 22 March 2005) with legions of well known security flaws (CVE's) at public realm on all their products including the latest ones anyone already can see what kind of security concerns exist from their part, and still taking several months to address them...
It shouldn't be the end-user / client reporting this issues, don't they have eyes to see it after 12 years? Or maybe they development team doesn't know about it? Don't they see the https://cve.mitre.org/ or other online news? That's quite hillarious.
I'm not targetting expecifically Netgear, there's also other similar situations happening on manufacturers like D-Link, TP-Link, etc.
I'm simply reporting a real fact which should be shared and known to the general public before deciding to purchase their products, these kind of critical reporting is important and only makes company's better not worse, unfortunatelly not everyone can understand it that way.
I suggest you to keep supporting Netgear that way since you are quite happy with their products / support, they really apreciate it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@IrvSp wrote:Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?
In this case, Netgear has admitted that it took the eye off the ball.
It did receive an approach from someone who first spotted the vulnerability, but the approach seems to have been a one off email to an address at Netgear that may have ended up in the spam bin.
When the person who discovered the flaw made it public, it was all hands to the pumps at Netgear, with beta releases of new firmware pushed out widely within days.
There then followed emailings to people who had registered their hardware
There are blow by blow accounts of this sequence on this board.
Some people turned up here weeks, sometimes months, after the flap complaining – not always in language that it is easy to understand – about crimes against humanity, only to be pointed to the solutions.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
What's up with the email notification system? I'm getting bunches of email notices that a reply has been posted and they appear to just be duplicates. Last batch contained 17 notices and before that there was another long string. Anyone else getting a flood of emails?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@Unfiltered1 wrote:What's up with the email notification system? I'm getting bunches of email notices that a reply has been posted and they appear to just be duplicates. Last batch contained 17 notices and before that there was another long string. Anyone else getting a flood of emails?
That usually happens when the writer either presses enter a few time or makes 'minor' editing changes, corrections or adding something after it was posted.
I'm only getting it for 'hggomes' posts though? Only got one for you for instance? Have not seen this in any other instances other than when ones are edited?
The last 2 I got from him via NG was 25 minutes apart and it was edited basically to add a link.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Probably the result of "Edit Reply" post, if so my fault for editing it and Netgear forum software for working that way.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@michaelkenward wrote:
@IrvSp wrote:Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?
In this case, Netgear has admitted that it took the eye off the ball.
It did receive an approach from someone who first spotted the vulnerability, but the approach seems to have been a one off email to an address at Netgear that may have ended up in the spam bin.
When the person who discovered the flaw made it public, it was all hands to the pumps at Netgear, with beta releases of new firmware pushed out widely within days.
There then followed emailings to people who had registered their hardware
There are blow by blow accounts of this sequence on this board.
Some people turned up here weeks, sometimes months, after the flap complaining – not always in language that it is easy to understand – about crimes against humanity, only to be pointed to the solutions.
Yes, and in this case it seems the reports on other site from 1/30 and later seems to have triggered the posting. That or the poster was using those 'reports' as if it just happened.
It just seems as if the person claiming NG is not doing its job refuses to accept they did once they had the information?
I don't support everything NG did/does. I am NOT a 'fanboy' of them. I use thier products and I'm happy with it. I've had LinkSys, ASUS, and even TP-Link as well. I'm not unhappy with them either, just I have NG now. I purchase on need and capability, not brand.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@IrvSp wrote:
It just seems as if the person claiming NG is not doing its job refuses to accept they did once they had the information?
He, I assume, is not alone, there have been other latecomers to the bandwagon. But most of them give up when they discover what has gone on.
One problem has been the number of people who turned up asking about hardware that was not on the vulnerability list. (There is a simple test you can use to see if you are vulnerable.)
Then there was the "false positive", the D7000 I think, that was on the original list, only to prove immune to the exploit.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
I must ask, I'm interested on getting several Netgear products GPL code.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.
The real problem you'll face is finding specific f/w versions... they might not be available, but over there 3rd party source code is.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
I'm not really interested on other projects GPLs, but on the original/native Netgear GPL code, which was always shared on their product/GPL page.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@IrvSp wrote:
Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.
I don't think you can get the GPL links for Netgear firmware there - at least I am only seeing dd-wrt and similar stuff.
There's a kb article which should contain the links the OP is asking for, but which is now blank. ElaineM is looking into it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Let's wait for them to fix the problem/GPL page.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@StephenB wrote:
@IrvSp wrote:Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.
I don't think you can get the GPL links for Netgear firmware there - at least I am only seeing dd-wrt and similar stuff.
There's a kb article which should contain the links the OP is asking for, but which is now blank. ElaineM is looking into it.
Knew that, that is why I suggested that Hugo asks there. Obviously some of the developers might know where the GPL source code might be. I did find R7000's F/W source code with a Google search but it was V1.05, not of much value. That is at https://github.com/hajuuk/R7000, but just not I dug a little deeper on that page and there is a LINK to http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) and THAT IS WHERE all the version links are for many different devices. Just what he needs.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@IrvSp wrote:
...there is a LINK to http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) and THAT IS WHERE all the version links are for many different devices. Just what he needs
Exactly so.
Earlier in the day that displayed as a blank page. I PM'd @ElaineM when I discovered that, and it looks like she was able to get it straightened out.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Out of curiosity I have downloaded latest R7000 1.0.7.6 FW version and GPL (released on 15 DEC 16) to confirm the closed thread was really fixed / got OpenSSL updated and I got astonished on how https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnera... case was closed / fixed, it seems nothing at all changed on the FW regarding OpenSSL old versions:
R7000 Firmware Version 1.0.7.6 - Released on 15 December 2016
OpenSSL 0.9.7f [22 Mar 2005] (source code) - 11 years and 10 months.
Location:
/ap/gpl/openssl
/ap/gpl/transmission/openssl
OpenSSL 0.9.8e [23 Feb 2007] (source code) - 9 years and 11 months.
Location:
/ap/gpl/timemachine/openssl-0.9.8e/
OpenSSL 1.0.0g [18 Jan 2012] (binary file libcrypto.so.1.0.0) - 5 years.
Location:
/src/router/arm-uclibc/target/lib
For reference on OpenSSL vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html
All OpenSSL versions / branches used by Netgear FWs are EOL now / deprecated / no support anymore, which seems not to be a problem to Netgear DEV team, this issue was considered fixed by them not sure based on what changes.
So once again this was initially reported on May 16 and still not fixed, almost 1 year now, this seems a lost case to me like many others...
IrvSp Does it ring a/any bell now?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
You had another THREAD on this and were told what parts of it were being used. See https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnera... and use that one if you are unhappy with the results.
============
NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation.
============
If you think that is wrong, reply back in THAT thread.
You were also directed to this, http://kb.netgear.com/000036386/CVE-2016-582384, as well and it says it is corrected.
I assume you do not agree, CALL SUPPORT...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
In case you haven't noticed that thread was closed, so I or anyone else is NOT able to reply to it, making your suggestion invalid. 🙂
Their reply on this issue is non-sense anyway, beside 1.0.0 also is being used 0.9.7 and 0.9.8 which are all EOL / Deprecated / Not supported anymore versions, so it doesn't really matter if it's 1.0.0 or 0.9.7/8. they are all non-secure versions FYI.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@hggomes wrote:In case you haven't noticed that thread was closed, so I or anyone else is NOT able to reply to it, making your suggestion invalid. 🙂
Their reply on this issue is non-sense anyway, beside 1.0.0 also is being used 0.9.7 and 0.9.8 which are all EOL / Deprecated / Not supported anymore versions, so it doesn't really matter if it's 1.0.0 or 0.9.7/8. they are all non-secure versions FYI.
Didn't realize it was closed, so start a NEW one... don't hijack others.
Please put all you want to say before pressing the POST button. I read my email copy and I'm seeing many that appear close to the same from you. It is a waste of time reading them. Even then, as I reply to one you seem to be changing it too. PLEASE STOP posting like that.
EOL just means it will NOT be updated. One can STILL use it though. Did you know that XP and even Win95 is still in use? They I assume are using 3 different versions for different tasks, NONE of which exposes the firmware to an exploit it would seem according to NG. You have different proof, post it to them in a DIFFERENT thread please and STOP editing the ones you did post. I've seen 3 popups that you are replying to ones here as I enter this. Never see a new one though so it is an OLD one I've already read.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Unfortunatelly like I previously explained it's due to "Edit Reply" button use, so we should blame this forum software, it doesn't make too much sense to me a user not being able to edit the text.
I have really enjoyed your EOL explanation, maybe I'll give it a try on Windows 95, thank you. 🙂
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@hggomes wrote:Unfortunatelly like I previously explained it's due to "Edit Reply" button use, so we should blame this forum software, it doesn't make too much sense to me a user not being able to edit the text.
I have really enjoyed your EOL explanation, maybe I'll give it a try on Windows 95, thank you. 🙂
Most people DO NOT NEED to edit their posts. They USE PREVIEW and read what would be posted and if they want to make a change switch back to RICH TEXT or HTML, make the changes and when DONE, then press POST. Try it some time, you might like it.
Yes, EOL doesn't mean it will not work... functions used do...
I'm done with you... now I know why that thread was probably closed...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
Hey Gomes! How many times are you using the edit button? I just opened my email program and there were 31 notices of replies to this thread.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
IrvSp:
You have described exactly what I did, it seems it didn't worked at all.
Same here, but you only need to read it to know why.
Unfiltered1:
Definitely not 31 times. 🙂
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
@Unfiltered1 wrote:Hey Gomes! How many times are you using the edit button? I just opened my email program and there were 31 notices of replies to this thread.
Indeed, this guy does not know how to use as forum. He is practically the only one why creates multiple posts of one message.
But rather than being unkind, let me add a suggestion.
This forum is very good at remembering what you are writing.
If you make a mistake and close a window, or do something equally silly, or even Windows crashes, you can pick up where things went wrong.
Go back to the message you were answering and the forum software will ask if you want to reload your message. It misses very little if anything.
PS Apologies for going off topic, but it might help to preserve the collective sanity.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: NETGEAR Routers and CVE-2016-582384 security vulnerability
I must agree with you, I definitely don't know how to use THIS forum, I'm not used to a forum where at every single edit you will end up flooding the users mailboxes, I never seen it happening on ANY other forum used before, Xenforo, Vbuletim, PHPBB, MyBB, etc.
Here's the issue, I usually remember later to add extra content to the initial post or simply notice that I need to fix something on the text (English is not my native language), I also noticed that this forum software does only allows the user to edit the post in 5-10m after posting, then the option will be removed, when that happens you will not be able to fix anything anymore or add any extra content to your previous post, which is something new to me, so the way it is it's the way it will end up, never seen anything like that.
Thank you for your post information.
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more