SoylentNews is people
SoylentNews
Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.
The vuln was revealed publicly in June by Trend Micro's Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind the scenes to take it seriously.
Keen-eyed Reg readers, however, noticed that Netgear quietly declared 45 of the affected products as "outside the security support period" – meaning those items won't be updated to protect them against the vuln.
America's Carnegie-Mellon University summarised the vuln in a note from its Software Engineering Institute: "Multiple Netgear devices contain a stack buffer overflow in the httpd web server's handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges."
[...] With today's revelation that 45 largely consumer and SME-grade items will never be patched, Netgear faces questions over its commitment to older product lines. Such questions have begun to be addressed in Britain by calls from government agencies for new laws forcing manufacturers to reveal devices' design lifespans at the point of purchase.
Brian Gorenc, Trend Micro's senior director of vulnerability research and head of ZDI, told The Register in a statement: "Consumers should always ensure their devices are still supported by their manufacturers. They should also check the available support before purchasing a device. Unfortunately, there are too many examples of vendors abandoning devices that are still in wide use – sometimes even when they are still available to purchase. We hope vendors clearly communicate their support and lifecycle policies so that consumers can make educated choices."
(Score: 4, Interesting) by Mojibake Tengu on Friday July 31 2020, @10:36PM (1 child)
What would Huawei do?
Never mind, that's a rhetorical question.
Well, actually I have at least 5 Netgear switches (24, 8, 5 ports) in my household, mainly because they support CAT6 and jumbo frames, which is good thing for my servers.
But since I always expect either backdoors or exploits in all consumer or enterprise products, I never buy managed routers of any brand.
Gateways and firewalls is something everyone should build on their own.
Bridging a modem and putting your own firewall behind it is the best of possible. The same with separate wifi APs.
With network, every money saved on gear means pain. All-in-one consumer devices are the worst, all-in-one enterprise devices catch them up in evility.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 2, Interesting) by Anonymous Coward on Friday July 31 2020, @11:04PM
Agreed. However, I will plug Netgate here. For $179 they have pretty darn decent set of hardware, and the whole thing runs on pfSense. So if you like BSD based firewalls using PF, they're something you should look at.
IIRC, they only concentrate on the router/firewall part of it. I have 4 different wireless networks VLAN'd through a single OPT port using a Ubiquity access point that allows creating multiple SSIDs and networks using VLANs.
The modem is in bridge mode with public hotspots turned off, and the router/firewall is separate from the access point. You compromise the modem and you're still in front of the router/firewall anyways
--Ed 791