Reply

Latest Security Vulnerability KB Article links to old R7000 Firmware

Latest Security Vulnerability KB Article links to old R7000 Firmware

Hi, 

 

The KB Article for the latest security vulnerability links to the firmware version 1.0.5.70 firmware for R7000:

http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability?cid=wmt_ne...

 

Isn't that version vulnerable to "Security Advisory VU 582384"? How come we should "downgrade" from 1.0.7.6 to 1.0.5.70 to fix this vulnerability? 

 

 

 

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 8

Accepted Solutions
ElaineM
NETGEAR Employee Retired

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware

The link in the article has been updated to the latest firmware available for R7000. 

 

Thank you guys for bringing this to our attention. 

ElaineM
NETGEAR Community Team

View solution in original post

Message 8 of 8

All Replies
StephenB
Guru

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware


@R7_0_0_0_User wrote:

 

The KB Article for the latest security vulnerability links to the firmware version 1.0.5.70 firmware for R7000:

http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability?cid=wmt_ne...

 

Isn't that version vulnerable to "Security Advisory VU 582384"? How come we should "downgrade" from 1.0.7.6 to 1.0.5.70 to fix this vulnerability? 

 


Yes it is vulnerable to VU 582384, and you shouldn't downgrade to it.  

 

If you look at http://www.netgear.com/about/security/?cid=wmt_netgear_organic , you'll see the article you linked in published May 9th 2016 - it is not the "latest security vulnerability".  Unfortunately the KB articles don't include that date (only the date the page was last updated, which can be misleading).

Message 2 of 8

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware

Hi StephenB

 

Thanks for the infos. I found the link here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521 this is why I called it the "latest security issue". Are you saying that 

CVE-2017-5521 is not a current or new security issue? German Tech-Press (heise.de) posted last week that netgear devices have a new "big" hole and also pointed to these links. 

 

 

Message 3 of 8
StephenB
Guru

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware


@R7_0_0_0_User wrote:

Hi StephenB

 

Thanks for the infos. I found the link here: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521 this is why I called it the "latest security issue". Are you saying that 

CVE-2017-5521 is not a current or new security issue? German Tech-Press (heise.de) posted last week that netgear devices have a new "big" hole and also pointed to these links. 

 

 


 

I agree that the CVE is current, and points to that KB article ( https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521 ).  And the CVE says the issue was vendor-reported.  

 

I don't work for Netgear, so I don't have any inside info here.  What I do know is that particular security issue was posted in May 2016.  

 

So this is quite confusing.  Hopefully Netgear can clarify it.

 

Message 4 of 8
thelemonkid
Luminary

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware

But that link points to old firmware....? Or....?

 

I am now using  R7000-V1.0.7.6_1.1.99.chk

 

It was suppossed to take care of a recent vulnerability. But is this another older one we talk about?

 

I read: Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions:

Message 5 of 8
StephenB
Guru

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware


@thelemonkid wrote:

But that link points to old firmware....? Or....?

 

I am now using  R7000-V1.0.7.6_1.1.99.chk

 

It was suppossed to take care of a recent vulnerability. But is this another older one we talk about?

 


I believe it is older, and likely not an issue with R7000-V1.0.7.6_1.1.99.chk.  But I think Netgear needs to comment.  

Message 6 of 8
ElaineM
NETGEAR Employee Retired

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware

I have forwarded this to our engineering team and waiting for their response.

Will provide an update as soon as I have one. 

ElaineM
NETGEAR Community Team
Message 7 of 8
ElaineM
NETGEAR Employee Retired

Re: Latest Security Vulnerability KB Article links to old R7000 Firmware

The link in the article has been updated to the latest firmware available for R7000. 

 

Thank you guys for bringing this to our attention. 

ElaineM
NETGEAR Community Team

View solution in original post

Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 3318 views
  • 1 kudo
  • 4 in conversation
Announcements

Orbi WiFi 6E