Orbi WiFi 7 RBE973
Reply

Re: CVE issues with SXR80

eierughdf
Tutor

CVE issues with SXR80

i had chose netgear when buying the SXR80 because it seemed they put out regular firmware updates for the life of the products. Well this year i've not seen any firmware updates for the Orbi SXR80 been on 4.2.3.102 since it was released. So what is netgear going to do about CVE issues with their software? I'm very disappointed they are not taking security seriously and addressing these issues.

Message 1 of 9
eierughdf
Tutor

Re: CVE issues with SXR80

Correction, not CVE issues but these are security issues that should be fixed:

Missing 'Secure' Cookie Attribute (HTTP)
Missing 'HttpOnly' Cookie Attribute (HTTP)
DNS Cache Snooping Vulnerability (UDP) - Active Check
SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection
SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability

 

also update openSSL and certs so that your VPN works with the latest version
of openVPN without havinng to enable legacy settings.

Message 2 of 9
quagmire1
Luminary

Re: CVE issues with SXR80

 I share your disappointment.  There has not been an update for the SXx80 since October 2022.

 

I have been looking at potential replacements. The one I'm looking at has this statement as part of its description:

"[Brand X] guarantees software updates for this product will be provided until Dec 2027."

(It would be rude, on Netgear's own web site, to tell you which brand.)

Message 3 of 9
BruceGuo
NETGEAR Expert

Re: CVE issues with SXR80

Hi Eierughdf,

 

We are working on next SXK80 firmware release v4.3.2.x, which will include known security bugfix. We target to release by mid of Aug. We are still maintaining firmware for critical issues and security issues. 

 

Thanks

Bruce

Message 4 of 9
eierughdf
Tutor

Re: CVE issues with SXR80

Nice to hear that news but i will say in closing that Netgear's actions with regards to firmware updates will determine if i stay with netgear or drop netgear when i eventually have to replace these.   FYI, your VPN does not work with Fedora FC38 unless the security policy is set to legacy.  not a good look for netgear.

Message 5 of 9
TSpitzmann
Guide

Re: CVE issues with SXR80

I agree to @eierughdf, but in addition I want to emphasise that it would be even more important for Netgear to serve these products with more frequent updates, because these products are the business line and not private use/ family products.

Given this fact priorities for these devices need to be higher than (business) customers currently experince.

 

 

Message 6 of 9
schumaku
Guru

Re: CVE issues with SXR80


@eierughdf wrote:

FYI, your VPN does not work with Fedora FC38 unless the security policy is set to legacy.  not a good look for netgear.


The OpenVPN service is designed and implemented just like on an almost one decade old consumer router. It was never updated after to higher standards and key length since.

Message 7 of 9
Chrisduk
Guide

Re: CVE issues with SXR80

When is this firmware out? It’s now the end of August and September in a few days
Message 8 of 9
BruceGuo
NETGEAR Expert

Re: CVE issues with SXR80

New SXK80 firmware is posted.

Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 2390 views
  • 9 kudos
  • 6 in conversation
Announcements