Security Advisory for Spectre and Meltdown on Some ReadyNAS and ReadyDATA systems

Please visit the NETGEAR Security Advisory pages. for the latest details on this issue.

Security Advisory for Speculative Code Execution (Spectre and Meltdown) on Some ReadyNAS and ReadyDATA Storage Systems, PSV-2018-0005

This security advisory addresses the following CVE vulnerabilities:

• CVE-2017-5715
• CVE-2017-5753
• CVE-2017-5754

NETGEAR is aware of two different speculative code execution security vulnerabilities, called Spectre and Meltdown (“Vulnerabilities”), in several vendors’ processors used in NETGEAR ReadyNAS and ReadyDATA products. These Vulnerabilities can only be exploited by someone who can upload and run malicious or compromised code on the product, which requires non-default privileges to be enabled.

NETGEAR does not believe that these Vulnerabilities represent a sufficient threat necessitating that you power down or remove your NETGEAR products from your network, but we do recommend that you follow the workaround procedures listed in the Workarounds section of this advisory.

NETGEAR plans to release well-tested firmware updates that fix or mitigate these Vulnerabilities for all products that are within the security support period. NETGEAR is currently testing and implementing a ReadyNAS firmware update.  

NETGEAR has confirmed that the following products are vulnerable to an attack:

ReadyNAS

• RN12G
• RN12P
• RN12S
• RN12T
• RN202
• RN204
• RN212
• RN214
• RN3130
• RN3138
• RN3220
• RN422
• RN4220
• RN424
• RN426
• RN428
• RN524X
• RN526X
• RN528X
• RN626X
• RN628X
• RNDP6000-200
• RR2304
• RR2312
• RR3312
• RR4312X
• RR4360X

ReadyDATA

• RD5200
• RDD516

NETGEAR will update this advisory when more information is available.

Workarounds

NETGEAR recommends that you follow these workarounds until firmware updates are available for your product:

• Disable the Secure Socket Shell (SSH) protocol on your ReadyNAS or ReadyDATA products.
  SSH is disabled by default. For more information, see ReadyNAS OS 6: SSH access support and configuration guides or your product’s software manual.
• Only install and run applications from trusted, reputable sources on your ReadyNAS or ReadyDATA products.

Disclaimer

The Vulnerabilities remain if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

Common Vulnerability Scoring System Vector

CVSS v3 Rating: Medium

CVSS v3 Score: 5.6

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Contact

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/.

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

Revision History

2018-01-07: Published advisory