× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Glibc Vulnerability CVE-2015-0235

ZkiiFreak
Aspirant

Glibc Vulnerability CVE-2015-0235

Hi

Just read that all Linux systems seems to be affected by the newly discovered GLIBC vulnerability:
https://www.qualys.com/research/securit ... 5-0235.txt

What is NetGears recommendations for the ReadyNAS systems? Are ReadyNAS systems affected?
Can one perform some kind of apt-get update or such to patch vulnerability?

Please advise

Thanks in advance
Message 1 of 11
filou
Tutor

Re: Glibc Vulnerability CVE-2015-0235

The GHOST vunerability only concern unpatched version of glibc/elibc from 2.2 to 2.17.

A way to know the NAS unit is affected is to log in with ssh and type the following command to get the glibc version:

ldd --version


On my RNDU 6000 with ReadyNAS OS 6.2.2, I get the following output:


root@NAS-Netgear:~# ldd --version
ldd (Debian GLIBC 2.19-4) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.


As you can see the last version of ReadyNAS OS is not affected.
Message 2 of 11
StephenB
Guru

Re: Glibc Vulnerability CVE-2015-0235

4.2.27 wrote:
PRO:~# ldd --version
ldd (GNU libc) 2.7
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.


4.1.14 wrote:

Duo:~# ldd --version
ldd (GNU libc) 2.3.2
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Message 3 of 11
super_poussin
Virtuoso

Re: Glibc Vulnerability CVE-2015-0235

I have compiled a test programm and ReadyNAs using OS6 are not affected


Envoyé de mon iPhone en utilisant Tapatalk
Message 4 of 11
Skywalker
NETGEAR Expert

Re: Glibc Vulnerability CVE-2015-0235

Correct, ReadyNASOS >= 6.2.0 is not vulnerable to CVE-2015-0235. We will have updates for RAIDiator 4.2 and 5.3 soon, although I don't believe there are any unauthenticated attack vectors anyway.
Message 5 of 11
StephenB
Guru

Re: Glibc Vulnerability CVE-2015-0235

Skywalker wrote:
Correct, ReadyNASOS >= 6.2.0 is not vulnerable to CVE-2015-0235. We will have updates for RAIDiator 4.2 and 5.3 soon, although I don't believe there are any unauthenticated attack vectors anyway.
4.1 also?
Message 6 of 11
RX
Luminary
Luminary

Re: Glibc Vulnerability CVE-2015-0235

Skywalker wrote:
Correct, ReadyNASOS >= 6.2.0 is not vulnerable to CVE-2015-0235. We will have updates for RAIDiator 4.2 and 5.3 soon, although I don't believe there are any unauthenticated attack vectors anyway.


Since you have specifically mentioned that v6.2.0 is not vulnerable, how about the v6.1.x? (You have used ">" [greater than] and "=" [equal] signs so I assumed that this only includes v6.2.x)

I believe that there are ReadyNAS OS 6 users that have their devices still on firmware v6.1.x.
Message 7 of 11
mdgm-ntgr
NETGEAR Employee Retired

Re: Glibc Vulnerability CVE-2015-0235

If they are still running 6.1.x then they can update to 6.2.x.

6.1.9 for example has glibc 2.13-38 whereas 6.2.0 has glibc 2.19-4
Message 8 of 11
Skywalker
NETGEAR Expert

Re: Glibc Vulnerability CVE-2015-0235

StephenB wrote:
4.1 also?

I think that one's TBD at the moment, unless there are any unauthenticated attack vectors.
Message 9 of 11
mdgm-ntgr
NETGEAR Employee Retired

Re: Glibc Vulnerability CVE-2015-0235

Message 10 of 11
TeknoJnky
Hero

Re: Glibc Vulnerability CVE-2015-0235

thumbs up, thanks for keeping the older releases secure.
Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 2966 views
  • 1 kudo
  • 8 in conversation
Announcements