Reply

Re: Amnesia:33 vulnerabilities for JGS516PE

Chipperchoi
Aspirant

Amnesia:33 vulnerabilities for JGS516PE

Hello all,

 

I am not having much luck in finding any information regarding the Amnesia:33 vulnerabilities showing up on our Qualys scan for the JGS516PE  switch.

 

I understand that the switch is EOL and no longer supported but is there any information about the latest patch from them addresses the vulnerability mentioned?


Model: JGS516PE|ProSafe Plus 16 ports switch with PoE
Message 1 of 7
DaneA
NETGEAR Moderator

Re: Amnesia:33 vulnerabilities for JGS516PE

@Chipperchoi,

 

Kindly check the Security Updates here.  If ever it does not include the vulnerability you have mentioned, you can report it by clicking the button "Click Here" under Report Vulnerabilities.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 7
Chipperchoi
Aspirant

Re: Amnesia:33 vulnerabilities for JGS516PE

That link doesn't address my question.

 

If I were to report this, which is an old CVE by the way, will there be fixes for it if the product is EOL?


It is a well known issue with opensource TCP/IP stack.

Message 3 of 7
schumaku
Guru

Re: Amnesia:33 vulnerabilities for JGS516PE


@Chipperchoi wrote:

It is a well known issue with opensource TCP/IP stack.


Not sure there are similar alternate robust and light TCP stacks available to replace these embedded microcontrollers TCP stacks not vulnerable to the Amnesia:33 set.

 

Even if available, unclear if the industry will update these tiny devices ever.

 

@YeZ please.

Message 4 of 7
bbl_1
Tutor

Re: Amnesia:33 vulnerabilities for JGS516PE

The Amnesia-33 secrity vulnerability issue is fixed in JGS516PE latest firmware v2.6.0.48 https://www.netgear.com/support/product/JGS516PE.aspx#download

Its release note shows: 

  • Various security vulnerability fixes and enhancements

Thank you.

Message 5 of 7
Chipperchoi
Aspirant

Re: Amnesia:33 vulnerabilities for JGS516PE

Thank you for the link. however, I am already on that version of Firmware on the switch already and the Qualys scan is still picking it up.

 

I know it says it fixed various vulnerabilities but doesn't really say what was fixed. This is a PCI vulnerability that we will get dinged on, in an audit, so I need something more than this. 

 

 

Message 6 of 7
schumaku
Guru

Re: Amnesia:33 vulnerabilities for JGS516PE


@bbl_1 wrote:

The Amnesia-33 secrity vulnerability issue is fixed in JGS516PE latest firmware v2.6.0.48


Strange at least if true .48 is dated 01-dec-2020 while the https://kb.cert.org/vuls/id/815128 release date was 08-dec-2020

 

And for the records again: "Various security vulnerability fixes and enhancements" is useless information. At lest one reference to each vulnerability/threat fixed - being a Netgear or CERT reference - is expected in business class products.

 

@Chipperchoi the way vulnerability assessment software works can vary widely ...

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 334 views
  • 0 kudos
  • 4 in conversation
Announcements