Netgear Security Advisory (Spectre and Meltdown) ReadyNAS and ReadyDATA Storage Systems and Some Connected Home Products – PSV-2018-0005

This security advisory addresses the following CVE vulnerabilities:

• CVE-2017-5715
• CVE-2017-5753
• CVE-2017-5754

NETGEAR is aware of two different speculative code execution security vulnerabilities called Spectre and Meltdown (“Vulnerabilities”), in several vendors’ processors used in NETGEAR ReadyNAS, ReadyDATA, and connected home products. These Vulnerabilities can only be exploited by someone who can upload and run malicious or compromised code on the product, which requires non-default privileges to be enabled on ReadyNAS and ReadyDATA products.

Connected home products include routers, gateways, mobile hotspots, and extenders. For connected home products, NETGEAR is not aware of a way to exploit the Vulnerabilities. We are still evaluating the impact of the Vulnerabilities with the help of our chipset suppliers. Owners of connected home products do not need to take any action right now.

NETGEAR does not believe that these Vulnerabilities represent a sufficient threat necessitating that you power down or remove your NETGEAR products from your network, but we do recommend that ReadyNAS and ReadyDATA owners follow the workaround procedures listed in the Workarounds section of this advisory.

NETGEAR plans to release well-tested firmware updates that fix or mitigate these Vulnerabilities for all products that are within the security support period. NETGEAR is currently testing and implementing a ReadyNAS firmware update.

NETGEAR has confirmed that the following products are vulnerable to an attack:




ReadyNAS

• RN12G
• RN12P
• RN12S
• RN12T
• RN202
• RN204
• RN212
• RN214
• RN3130
• RN3138
• RN3220
• RN422
• RN4220
• RN424
• RN426
• RN428
• RN524X
• RN526X
• RN528X
• RN626X
• RN628X
• RNDP6000-200
• RNRP4000
• RR2304
• RR2312
• RR3312
• RR4312X
• RR4360X

ReadyDATA

• RD5200
• RDD516

 

The following affected products are outside the security support period:

• RD5200
• RDD516
• RN12G
• RN12P
• RN12S
• RN12T
• RNDP6000
• RNRP4000

NETGEAR will update this advisory when more information is available.

 

Workarounds

NETGEAR recommends that you follow these workarounds for your ReadyNAS or ReadyDATA storage system until firmware updates are available for your product:

• Disable the Secure Socket Shell (SSH) protocol on your ReadyNAS or ReadyDATA products.
  SSH is disabled by default. For more information, see ReadyNAS OS 6: SSH access support and configuration guides or your product’s software manual.
• Only install and run applications from trusted, reputable sources on your ReadyNAS or ReadyDATA products.

Disclaimer

The Vulnerabilities remain if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.