lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACqxkWJtLH0bSseS9f+pq7QS_bn0WXk7Ex1gU-TVkX1yyo2Keg@mail.gmail.com>
Date: Fri, 4 Mar 2016 16:21:57 +0000
From: Nick Boyce <nick.boyce@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Netgear GS105Ev2 - Multiple Vulnerabilities

On 8 February 2016 at 21:23, I wrote:
>
> On 27 January 2016 at 15:56, Benedikt Westermann
> <benedikt.westermann@...ec.tuv.com> wrote:
>
> > # Multiple Vulnerabilities - Netgear GS105Ev2
> [...]
> > Firmware version: 1.3.0.3,1.4.0.2
> [...]
> > Status: unfixed
>
> The Netgear website [1] shows that a new version of the firmware was
> released 2 days after your FD post - version 1.4.0.6.
>
> The release notes [2] for the new version don't refer to these
> security issues in any way (instead they mention three fairly
> minor-sounding bugs fixed).  Have you had a chance to test the new
> version yet, and if so can you say whether - despite Netgear's stated
> stance of WONTFIX - any of the security issues you report here are
> fixed by it ?

JFTR, on 10th.Feb Benedikt replied to me off-list as follows:

> thank you for the info. I just checked it, nothing changed.
> All exploits still work like charm on 1.4.0.6  :-(

Thanks Benedikt.

Now that end hosts have been thoroughly analysed by vendors and
researchers alike, perhaps networking equipment is the new frontier
(cf: operating systems vs applications).  The dire state of the
quality of the software embedded in comms hardware, for both home and
business use, is emerging from the fog to become the elephant in the
room.  We seem to be caught between the rock of sheer incompetence and
the hard place of possible government agency influence (Juniper ...).

I wonder whether Netgear will be next (after Asus) to be slapped by
the US Federal Trade Commission for foisting badly conceived and
implemented CPE products on hapless and unsuspecting consumers ....

http://www.theregister.co.uk/2016/02/23/asus_router_flaws_settlement/

Cheers,
Nick Boyce

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ