- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Security Advisory for Spectre and Meltdown on Some ReadyNAS and ReadyDATA systems
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Advisory for Spectre and Meltdown on Some ReadyNAS and ReadyDATA systems
Please visit the NETGEAR Security Advisory pages. for the latest details on this issue.
Security Advisory for Speculative Code Execution (Spectre and Meltdown) on Some ReadyNAS and ReadyDATA Storage Systems, PSV-2018-0005
This security advisory addresses the following CVE vulnerabilities:
- CVE-2017-5715
- CVE-2017-5753
- CVE-2017-5754
NETGEAR is aware of two different speculative code execution security vulnerabilities, called Spectre and Meltdown (“Vulnerabilities”), in several vendors’ processors used in NETGEAR ReadyNAS and ReadyDATA products. These Vulnerabilities can only be exploited by someone who can upload and run malicious or compromised code on the product, which requires non-default privileges to be enabled.
NETGEAR does not believe that these Vulnerabilities represent a sufficient threat necessitating that you power down or remove your NETGEAR products from your network, but we do recommend that you follow the workaround procedures listed in the Workarounds section of this advisory.
NETGEAR plans to release well-tested firmware updates that fix or mitigate these Vulnerabilities for all products that are within the security support period. NETGEAR is currently testing and implementing a ReadyNAS firmware update.
NETGEAR has confirmed that the following products are vulnerable to an attack:
ReadyNAS
- RN12G
- RN12P
- RN12S
- RN12T
- RN202
- RN204
- RN212
- RN214
- RN3130
- RN3138
- RN3220
- RN422
- RN4220
- RN424
- RN426
- RN428
- RN524X
- RN526X
- RN528X
- RN626X
- RN628X
- RNDP6000-200
- RR2304
- RR2312
- RR3312
- RR4312X
- RR4360X
ReadyDATA
- RD5200
- RDD516
NETGEAR will update this advisory when more information is available.
Workarounds
NETGEAR recommends that you follow these workarounds until firmware updates are available for your product:
- Disable the Secure Socket Shell (SSH) protocol on your ReadyNAS or ReadyDATA products.
SSH is disabled by default. For more information, see ReadyNAS OS 6: SSH access support and configuration guides or your product’s software manual. - Only install and run applications from trusted, reputable sources on your ReadyNAS or ReadyDATA products.
Disclaimer
The Vulnerabilities remain if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.
Common Vulnerability Scoring System Vector
CVSS v3 Rating: Medium
CVSS v3 Score: 5.6
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Contact
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit http://www.netgear.com/about/security/.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
Revision History
2018-01-07: Published advisory
Last Updated:01/07/2018 | Article ID: 000053240
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Security Advisory for Spectre and Meltdown on Some ReadyNAS and ReadyDATA systems
How come the RN31x series are unaffected by Meltdown and Spectre?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Security Advisory for Spectre and Meltdown on Some ReadyNAS and ReadyDATA systems
@Laserbait wrote:
How come the RN31x series are unaffected by Meltdown and Spectre?
The RN314 uses an Atom D series processor (D2700). That is not on the list of affected CPUs per intel's info here: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr