× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973

Netgear routers found to have critical vulnerabilities within the shipped software components.

hggomes
Tutor

Netgear routers found to have critical vulnerabilities within the shipped software components.

I have been a Netgear tester of several router models for years now.

The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.

This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.

I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.

After checking the most recent GPL code for the latest Netgear X8 R8500 router model, much to my surprise, I still see the same issues, something not acceptable:

OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)

OpenSSL: https://www.openssl.org/news/vulnerabilities.html

Sources:

http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip

All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...

So my questions to Netgear are:

Where is the software development oversight?
Where is the quality control?
Where is the the customer care?

As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.

 

Best regards,
Hugo

Message 1 of 19

Accepted Solutions
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Message 19 of 19

All Replies
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

I have been a Netgear tester of several router models for years now.

The Netgear hardware is generally solid and reliable, however its the software side, in my opinion lacks attention in several key areas.

This is a totally unexpected problem, especially with the security issues being rampant today with consumer models by different companies, Netgear should look at their direct competitor ASUS with regular and persistent security updates fixes on their software networking devices.

I for one would have expected Netgear to use this fact in their favor, but instead in the end there I find more of the same sloppy and lazy implementations of the software components, this even within your current hardware on market today.

After checking the most recent GPL code for the latest high-end Netgear X8 R8500 router model (costing $400/550€), much to my surprise, I still see the same issues, something not acceptable:

OpenSSL 0.9.7f 22 March 2005 (software with 11 years and 2 months old)

OpenSSL: https://www.openssl.org/news/vulnerabilities.html

Sources:

http://www.downloads.netgear.com/files/GPL/R8500-GPL_V1.0.2.54_1.0.56.zip

All Netgear routers share the same components, this seems to me a critical issue for all your current products which we as consumers buy from a well established and trusted company such as Netgear...

So my questions to Netgear are:

Where is the software development oversight?
Where is the quality control?
Where is the the customer care?

As a Netgear user I would feel betrayed and that ultimately all Netgear cares is bottom lines and not building a more reliable trust base with their customers for something that, is in essence a cost of 60 seconds per most components in order to correct some of these issues.

Discussion thread:


http://www.snbforums.com/threads/netgear-routers-found-to-have-critical-vulnerabilities-within-the-s...

Best regards,
Hugo

Message 2 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Hello @hggomes


Welcome to the community!

 

We thank you for your concern. We do value your input and appreciate your loyalty as a long-time NETGEAR customer. Please be assured that NETGEAR does regularly monitor our products for security issues and we take the security of customers and their data very seriously. NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation  (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation. Hope this addresses your concerns.

 

Again, thank you and have a great day!

Message 3 of 19
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Hi ElaineM,

 

You mean this OpenSSL version: "OpenSSL 1.0.0g 18 Jan 2012" with still legions (~80) of vulnerabilities?

 

https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html

 

Unfortunatelly it doesn't address my concerns and probably neighter other Netgear owners, I'm sorry but I really don't consider this taking seriously the security of customers, all it's needed is a waste of 2 minutes to update to the latest known secure OpenSSL version.

 

 

Best regards,

Hugo

Message 4 of 19
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

BTW, you also forgot to mention "Transmission" app compiled against ancient OpenSSL 0.9.7f 22 March 2005 version.

 

OpenSSL 0.9.7f 22 March 2005 (Transmission)

OpenSSL 0.9.8e 23 Feb 2007 (Time Machine)

OpenSSL 1.0.0g 18 Jan 2012 (OpenVPN, HTTP, etc)

 

If Netgear doesn't consider all this reportings a security issue...

 

 

Best regards,

Hugo

Message 5 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Per our engineering, we do not have an ETA as to when it will be updated. It requires extensive testing and they are working on it.

Message 6 of 19
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

It's a start, thank you for the update.

 

 

Best regards,

Hugo

Message 7 of 19
Retired_Member
Not applicable

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

The check is in the mail.

I love you.

I won't ...............................

Message 8 of 19
Hgeng
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Gosh! I just talked to Netgear support over the phone and felt I went through what sounded like the computer scam call I get from India!

My Netgear cable modem wifi was not working. After talking for Xfinity (super helpful) for an hour to figure out what was wrong with my internet service, they told me it was a problem with my Netgear box and gave me Netgear support number.

When I talked to Netgear, very quickly I was told the hardware was fine but the software had been attacked by some laptop or mobile device to reset its own IP address. The Rep told me that Netgear would offer me a remote fix for $89/6 months (she called it "extended warranty package") so this would never happen again. I believe if Netgear's boxes were prone to such attacks, then it needs to fix this problem before it is sold and not charging extra to fix what seems to be to be a security flaw in Netgear's product: software or hardware. After all, Netgear can't sell just a piece of hardware without any software on it and call it a working product.
I decided not to buy this expensive service and just plug in my Airport Express to the Netgear cable modem. This solution works perfectly fine and my Apple product has none of these security issues and Apple stands behind their product: hardware or software!
Message 9 of 19
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Thank you for sharing the info, unfortunatelly it doesn't surprise me at all, check my post date and you will really see how much Netgear "takes customers security very serious", one good example is the brand new Netgear model R9000 (X10) sold at $500 still using ancient OpenSSL 0.9.8p (2010) package version with 6 years old and with legions of security flaws in it, this simply proofs my previous post point, they don't care at all and they should know it, sending sand to clients eyes is always easier.

 

Once again i must say, not acceptable NETGEAR.

 

 

The result of these kind of reports will end up on bad reputation and products sales going down.

Message 10 of 19

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Ooh, you do have a bee in your bonnet don't you.

 

Re: Netgear Support Is expensive - NETGEAR Communities

 

 

 

 

Message 11 of 19
jerry66
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

I don't think there is a bee in his bonnet , more like a botnet , this is a Serious flaw and should be fixed as soon as possible .

Message 12 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

We are currently working on it and OpenSSL fix will be rolled out in the upcoming firmware release. 

Message 13 of 19
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Hi Elaine, thank you for the information update, looking forward on it.

 

 

Best regards,

Hugo

Message 14 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

You're very welcome. I'm looking forward to get this update too. 

 

Have a great day!

Message 15 of 19
hggomes
Tutor

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Hi ElainM, another one to add to Netgear Security concerns:

 

http://www.kb.cert.org/vuls/id/582384

 

 

Best regards,

Hugo

Message 16 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

@hggomes Thank you for the link. Our team is currently working on this. You may keep track about the status of it from the link below.

 

Security Advisory for VU 582384

Message 17 of 19
mdgm-ntgr
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

The Security Advisory has been updated with more information and beta firmware for some affected models.

Message 18 of 19
ElaineM
NETGEAR Employee Retired

Re: Netgear routers found to have critical vulnerabilities within the shipped software components.

Hi All,

 

The Security Advisory for VU 582384 has been updated.

 

Also, for more information and update see the thread below.

 

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Two-leading-Netgear-routers-are-vulnerable-t...

Message 19 of 19
Top Contributors
Discussion stats
  • 18 replies
  • 8587 views
  • 1 kudo
  • 7 in conversation
Announcements

Orbi 770 Series