× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: ReadyNAS OS Dead?

schumaku
Guru

Re: ReadyNAS OS Dead?


@Sandshark wrote:

But your premise in that other post, that Netgear has announced that they will not support some OS6 units and will soon do the same for others, has no basis in any actual Netgear announcement.

Every Netgear customer with an EoL-ed ReadyNAS OS 6 system, even those with not yet Eol-ed models are left in space. We have no information about how long Hardware Repair or Replacement, OS and App Updates and Maintenance, and Technical Support and Security Updates will be held up. 

Very different fom what the major NAS competitors do.

 

We can't plan, we can't schedule migrations - we're simply left alone out here. 

Message 26 of 147
rn_enthusiast
Virtuoso

Re: ReadyNAS OS Dead?

ReadyNAS is dead as far as I am concerned, and has been for the past 3 years. We are coming to a cross-roads now where the Debian version, the Rn OS itself and all the apps (including the internal ones, like their version of apache) are so outdated that it makes no sense to keep using it.

 

Covid might have put a damper on things too but Netgear's silence with regards to the ReadyNAS line-up started long before Covid came around. It is a shame too because these units are quite good hardware wise. The decent thing from Netgear would be to allow us to totally unlock/flash to BIOS which would facilitate much easier install of whatever Linux flavour we wanted, on the box.

 

The future for me is likely the DIY route. I have already started to plan my move to a DYI Ubuntu server running BTRFS raids. It will give me total control, which I can't get with any vendor NAS units. As for my RN422 and RN 212 units... I don't know what I will do. Probably donate them to someone but they could serve as backup units for another year or so.

Message 27 of 147
StephenB
Guru

Re: ReadyNAS OS Dead?

I'm planning to use my ReadyNAS for the foreseeable future.  

 

I'd like to see Netgear upgrade the OS, and if they do exit the business I'd like to see them open things up.  But I'll continue to use my ReadyNAS whether they do that or not.

 

My ReadyNAS aren't exposed to the internet, and I've chosen just to use them for storage (no apps other than SMB plus).  I don't see any unmanagable security issues - but I can easily switch to a different vendor (or roll my own NAS) if necessary. 

 

Message 28 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

@StephenB it's definitely got vulnerabilities

http://w.cvedetails.com/version/111987/Debian-APT-0.8.11.html that's just the operating system

Not to mention all the outdated packages

https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=0&version_id=0&amp...

It's not even funny anymore
Message 29 of 147
jw48165
Guide

Re: ReadyNAS OS Dead?

@SignedAdam That's why I sold mine.  What I would recommend to anyone wanting to continue using running ReadNAS hardware w/o trying to upgrade Debian, would be to use it with iSCSI only.  At the end before I sold it, I was doing exactly that, with rclone/smb/plex/etc. all running on an external Linux host and I shut everything off on the storage except iSCSI.  As I migrated data into iSCSI I freed space in my other volumes to grow the iSCSI side.  It took a couple of days.  Ultimately I ran into speed issues in the RN box that pushed to sell it.

Message 30 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

Has no one who has a readynas have a high profile? I think Netgear need sorting out. I feel abandoned and my RN422 isn't even out of support.
Message 31 of 147
StephenB
Guru

Re: ReadyNAS OS Dead?


@SignedAdam wrote:
it's definitely got vulnerabilities

I didn't deny that. I only said the risk is managable for me, since I am running the NAS on a closed network (also it is a home network).

 

I will say that the details matter here - most of the vulnerabilities in your lists don't apply to the current ReadyNAS software (as your lists include stuff that was fixed long ago).  But we agree it would be good if they updated the OS (and related packages).

 

Message 32 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

How have the vulnerabilities been fixed ? The version numbers are exactly the same as the ones listed with vulnerabilities... Even in a home network this is risky, this Nas product is marketed towards business more than home. I doubt Netgear have managed to fix everything in house, did you see the Apache list. I very much doubt it.
Message 33 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

Give us proof @StephenB
Message 34 of 147
StephenB
Guru

Re: ReadyNAS OS Dead?


@SignedAdam wrote:
Give us proof @StephenB

Proof of what? 

  • One of your links pointed to four APT CVEs.  The NAS runs APT 1.2.27 - which was not listed as a vulnerable version for any of the four CVEs. 
  • Your other link (JSPWiki) points to a package that isn't even running on the ReadyNAS.

So while there are vulnerabilities, your links aren't relevant to the case you are trying to make.  I have no idea why you grabbed the ones you did.

 

In any event, I am not trying to convince you (or anyone else) on what course of action you should take.  I'm just saying that I intend to use my ReadyNAS for the forseeable future, no matter what Netgear chooses to do.  I don't see any unmanagable security risks in doing that. 

 

But you can do as you like. 

 

 

 

Message 35 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

My links above are valid, and do apply to Debian 8.11 which is the underlining operating system of readynas, Apache is also the package used for the web interface. Readynas os 6 is not a product fully made by Netgear (at least when it comes to the os) you do know that right @StephenB
Message 36 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

Treat me stupid, I'll do it back @StephenB

Instead of trying to insult me, maybe you could list what vulnerabilities do apply.
Message 37 of 147
schumaku
Guru

Re: ReadyNAS OS Dead?


@SignedAdam wrote:
My links above are valid, and do apply to Debian 8.11 which is the underlining operating system of readynas, Apache is also the package used for the web interface

It was the base used, you can't imply it still is bit by bit the same as it was years ago.. You would have to look into the source code making up OS 6.10.4. Your links might be valid (leaving alone Apache references applicable when running it on Windows) but not for what is implemented as of today.

Message 38 of 147
jw48165
Guide

Re: ReadyNAS OS Dead?

This thread is pointless.  You're arguing about worthless nonsense and a dead operating system.  I'm unsubscribing.  Again though, if you're too challenged to just upgrade to a regular Debian release, your only option is going to be to get a different chunk of hardware.  Trying to convince Netgear to roll ZFS code was good for a laugh though.  Goodbye.

Message 39 of 147
StephenB
Guru

Re: ReadyNAS OS Dead?


@SignedAdam wrote:
Apache is also the package used for the web interface.

Yes, but you confused the vendor field with the product field.  Your link includes all 198 products from apache, not just the web server.  The first one in the list was in fact for JSPWiki - which as I noted doesn't run on the NAS.  The apache web server vulnerabilities for 2.4.25 are reported here: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-218176/

 

Your first link was to Debian apt, not to Debian Linux. I clicked on the details of the 4 CVEs in that link, and none of them list the version of apt installed on the NAS.  Debian Linux Vulnerabilities are listed here: https://www.cvedetails.com/version/182793/Debian-Debian-Linux-8.0.html  This list includes all reported vulnerabilities - including the ones that have been fixed

 

Another factor here is that Netgear does backport some security fixes - and there is no easy way to tell exactly what they backported, and what they didn't.  The release notes aren't complete, and unfortunately don't always list the CVEs that were addressed.  They also update the kernel regularly. For example, the 6.10.3 release notes say they updated the kernel (released last May).  The kernel updates certainly address many of the CVEs in the debian list. The 6.10.4 release notes say there were security fixes (but they don't say which CVEs were addressed). 

 

I haven't claimed that the security is perfect, only pointed out that your links weren't on-target (and they weren't).  My assessment is that it safe enough for my use.  The web server (like the NAS itself) can only accessed by devices under my control, so there is little risk that the attacks in the CVEs would ever be made.  If my NAS were accessible over the internet, I'd be more concerned.  But I don't (and won't) deploy them that way.  Malware hitting my PCs is IMO a bigger threat, and I've arranged my backup plan to deal with that threat.

 

As far as I can tell, you'd already made up your mind about the ReadyNAS before you started your recent posts.  If I felt the way you did, I'd just sell it and move on.

Message 40 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

Finally you come at me with some shots, the fact remains it needs sorting out, yes my links weren't exact, but let's not be pedantic, I wasn't far off the Mark.

Lots of vulnerabilities are still shown, it would be nice if the Netgear developers for this readynas would get them self-involved, however I understand why they might not because it's embarrassing.

Facts, The web server needs changing because Apache is very difficult to update, and could end at any point, I'm not even sure if it's still going for Debian 8.11 and the whole operating system needs moving up a few versions. And connman, the connection manager is awful. It has no UI what so ever. You can't add extra ips with conman, as the name implies it was probably a con to have it as the (connection manager)

By the way not everything can be updated https://unix.stackexchange.com/questions/404036/how-do-i-update-apache2-to-the-latest-version-on-deb...
Message 41 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

If I even want to attempt to update Apache I have to learn to compile. 🤣 Wow this is noob friendly
Message 42 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

With out the source code Netgear use to compile Apache for ready Nas I don't even think we could, my Nas rn422 has functionality that wouldn't work with out the source code.
Message 43 of 147
StephenB
Guru

Re: ReadyNAS OS Dead?

Some folks here tried to update apache on their own, and ended up breaking the NAS web ui.  They weren't trying to build it, just updating it using apt-get.  Not sure if that would happen with 6.10.4, but it's not something I would try on my main NAS.

 

So you do need to be careful when updating packages on your own.

 

 

Message 44 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

I don't think it is as simple as apt-get compile means build from source code, it means to start from scratch with a layout, we don't have the layout of the land so we can't compile Apache, which means we can't update it with out Netgear doing it for us. Or them giving us the layout so we can do it our selfs..
Message 45 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

The only way we could update it with out netgears help would be to reverse engineer it
Message 46 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

Which again, and I know this is getting old now, we need a new operating system from the ground up. I use my ReadyNas online, it's on a network with the internet. Having security flaws like this, on a device that isn't out of support, is bad business, if I, a Netgear customer don't see significant change soon. Well I won't ever be a Netgear customer again, I won't be buying another Netgear product for as long as their are other competitors doing a better job. The developers of this product should be ashamed of the product produced here, it was built to fail and not stand the test of time, this is a mini server in its own right, which means it needs constant updates, this isn't just some dum ethernet switch, this is a Nas box that's meant to give me a secure remote and local connection.

The features offered are few and between, so it doesn't even have that going for it, I haven't sold it on because I thought Netgear was a brand I could trust and rely on for years. Just like I can rely on Asus and there great wrt based routers, or signology and what they are doing. I'm not feeling the same product support from Netgear here on the readynas brand. It's really sad and disappointing and I paid well over the odds for what this product is, a cheap put together machine with a brand name on it, admittedly at the time it was the best hardware in a nas at the time, but most of the cost was because of the brand, support. Non-existent at the moment.

Yes I could pay money for phone support, but phone support for what? An out dated machine that isn't maintained or had a overhaul in firmware and os in years.
Message 47 of 147
schumaku
Guru

Re: ReadyNAS OS Dead?


@SignedAdam wrote:
With out the source code Netgear use to compile Apache for ready Nas I don't even think we could, my Nas rn422 has functionality that wouldn't work with out the source code.

Without what please? There you go -> NETGEAR Open Source Code for Programmers (GPL) 

 

There is much more involved but compiling an Apache2 binary. And yes: ConnMan s***s.

Message 48 of 147
SignedAdam
Apprentice

Re: ReadyNAS OS Dead?

Can you compile Apache @schumaku 🤣 because I can't, really Netgear need to step up here and give the support we expect.
Message 49 of 147
htroudi
Apprentice

Re: ReadyNAS OS Dead?

Model: RN104|ReadyNAS 100 Series 4- Bay
Message 50 of 147
Discussion stats
Announcements