- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Netgear routers found to have critical vulnerabilities within the shipped software components.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been a Netgear tester of several router models for years now.
The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.
This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.
I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.
After checking the most recent GPL code for the latest Netgear X8 R8500 router model, much to my surprise, I still see the same issues, something not acceptable:
OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)
OpenSSL: https://www.openssl.org/news/vulnerabilities.html
Sources:
http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip
All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...
So my questions to Netgear are:
Where is the software development oversight?
Where is the quality control?
Where is the the customer care?
As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.
Best regards,
Hugo
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
The Security Advisory for VU 582384 has been updated.
Also, for more information and update see the thread below.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
I have been a Netgear tester of several router models for years now.
The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.
This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.
I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.
After checking the most recent GPL code for the latest high-end Netgear X8 R8500 router model (costing $400/550€), much to my surprise, I still see the same issues, something not acceptable:
OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)
OpenSSL: https://www.openssl.org/news/vulnerabilities.html
Sources:
http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip
All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...
So my questions to Netgear are:
Where is the software development oversight?
Where is the quality control?
Where is the the customer care?
As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.
Discussion thread:
http://www.snbforums.com/threads/netgear-routers-found-to-have-critical-vulnerabilities-within-the-s...
Best regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Hello @hggomes
Welcome to the community!
We thank you for your concern. We do value your input and appreciate your loyalty as a long-time NETGEAR customer. Please be assured that NETGEAR does regularly monitor our products for security issues and we take the security of customers and their data very seriously. NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation. Hope this addresses your concerns.
Again, thank you and have a great day!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Hi ElaineM,
You mean this OpenSSL version: "OpenSSL 1.0.0g 18 Jan 2012" with still legions (~80) of vulnerabilities?
https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html
Unfortunatelly it doesn't address my concerns and probably neighter other Netgear owners, I'm sorry but I really don't consider this taking seriously the security of customers, all it's needed is a waste of 2 minutes to update to the latest known secure OpenSSL version.
Best regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
BTW, you also forgot to mention "Transmission" app compiled against ancient OpenSSL 0.9.7f 22 March 2005 version.
OpenSSL 0.9.7f 22 March 2005 (Transmission)
OpenSSL 0.9.8e 23 Feb 2007 (Time Machine)
OpenSSL 1.0.0g 18 Jan 2012 (OpenVPN, HTTP, etc)
If Netgear doesn't consider all this reportings a security issue...
Best regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Per our engineering, we do not have an ETA as to when it will be updated. It requires extensive testing and they are working on it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
It's a start, thank you for the update.
Best regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
The check is in the mail.
I love you.
I won't ...............................
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
My Netgear cable modem wifi was not working. After talking for Xfinity (super helpful) for an hour to figure out what was wrong with my internet service, they told me it was a problem with my Netgear box and gave me Netgear support number.
When I talked to Netgear, very quickly I was told the hardware was fine but the software had been attacked by some laptop or mobile device to reset its own IP address. The Rep told me that Netgear would offer me a remote fix for $89/6 months (she called it "extended warranty package") so this would never happen again. I believe if Netgear's boxes were prone to such attacks, then it needs to fix this problem before it is sold and not charging extra to fix what seems to be to be a security flaw in Netgear's product: software or hardware. After all, Netgear can't sell just a piece of hardware without any software on it and call it a working product.
I decided not to buy this expensive service and just plug in my Airport Express to the Netgear cable modem. This solution works perfectly fine and my Apple product has none of these security issues and Apple stands behind their product: hardware or software!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Thank you for sharing the info, unfortunatelly it doesn't surprise me at all, check my post date and you will really see how much Netgear "takes customers security very serious", one good example is the brand new Netgear model R9000 (X10) sold at $500 still using ancient OpenSSL 0.9.8p (2010) package version with 6 years old and with legions of security flaws in it, this simply proofs my previous post point, they don't care at all and they should know it, sending sand to clients eyes is always easier.
Once again i must say, not acceptable NETGEAR.
The result of these kind of reports will end up on bad reputation and products sales going down.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Ooh, you do have a bee in your bonnet don't you.
Re: Netgear Support Is expensive - NETGEAR Communities
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
I don't think there is a bee in his bonnet , more like a botnet , this is a Serious flaw and should be fixed as soon as possible .
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
We are currently working on it and OpenSSL fix will be rolled out in the upcoming firmware release.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Hi Elaine, thank you for the information update, looking forward on it.
Best regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
You're very welcome. I'm looking forward to get this update too.
Have a great day!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
Hi ElainM, another one to add to Netgear Security concerns:
http://www.kb.cert.org/vuls/id/582384
Best regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Netgear routers found to have critical vulnerabilities within the shipped software components.
The Security Advisory has been updated with more information and beta firmware for some affected models.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
The Security Advisory for VU 582384 has been updated.
Also, for more information and update see the thread below.
• Introducing NETGEAR WiFi 7 Orbi 770 Series and Nighthawk RS300
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more