Re: Netgear GS105Ev2 - Multiple Vulnerabilities

[Nick Boyce <nick.boyce () gmail com>]

On 8 February 2016 at 21:23, I wrote:
> On 27 January 2016 at 15:56, Benedikt Westermann
> <benedikt.westermann () i-sec tuv com> wrote:
>
> > # Multiple Vulnerabilities - Netgear GS105Ev2
> [...]
> > Firmware version: 1.3.0.3,1.4.0.2
> [...]
> > Status: unfixed
>
> The Netgear website [1] shows that a new version of the firmware was
> released 2 days after your FD post - version 1.4.0.6.
>
> The release notes [2] for the new version don't refer to these
> security issues in any way (instead they mention three fairly
> minor-sounding bugs fixed).  Have you had a chance to test the new
> version yet, and if so can you say whether - despite Netgear's stated
> stance of WONTFIX - any of the security issues you report here are
> fixed by it ?

JFTR, on 10th.Feb Benedikt replied to me off-list as follows:

> thank you for the info. I just checked it, nothing changed.
> All exploits still work like charm on 1.4.0.6  :-(

Thanks Benedikt.

Now that end hosts have been thoroughly analysed by vendors and
researchers alike, perhaps networking equipment is the new frontier
(cf: operating systems vs applications).  The dire state of the
quality of the software embedded in comms hardware, for both home and
business use, is emerging from the fog to become the elephant in the
room.  We seem to be caught between the rock of sheer incompetence and
the hard place of possible government agency influence (Juniper ...).

I wonder whether Netgear will be next (after Asus) to be slapped by
the US Federal Trade Commission for foisting badly conceived and
implemented CPE products on hapless and unsuspecting consumers ....

http://www.theregister.co.uk/2016/02/23/asus_router_flaws_settlement/

Cheers,
Nick Boyce

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/