On 27 January 2016 at 15:56, Benedikt Westermann <benedikt.westerm...@i-sec.tuv.com> wrote:
> # Multiple Vulnerabilities - Netgear GS105Ev2 [...] > Firmware version: 1.3.0.3,1.4.0.2 [...] > Status: unfixed > CVSS v2 Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:C) > CVSS Score: 8.3 > CVE-ID: n/A > > The highest risk is represented by the authentication bypass. > This is reflected by the score. > > ## Author/Credits > Benedikt Westermann (TÜV Rheinland i-sec GmbH) [...] > ## History > > 10.08.2015 - Initial contact to Netgear via support chat > 10.08.2015 - Set preliminary disclosure date > 11.08.2015 - Netgear Support confirms findings > 01.09.2015 - Netgear Support informs that currently no immediate plans exist > to fix the issues > 27.01.2016 - Public disclosure Hi Benedikt, The Netgear website [1] shows that a new version of the firmware was released 2 days after your FD post - version 1.4.0.6. The release notes [2] for the new version don't refer to these security issues in any way (instead they mention three fairly minor-sounding bugs fixed). Have you had a chance to test the new version yet, and if so can you say whether - despite Netgear's stated stance of WONTFIX - any of the security issues you report here are fixed by it ? [1] http://downloadcenter.netgear.com/de/product/GS105Ev2 [2] http://kb.netgear.com/app/answers/detail/a_id/30259 [ I was thinking about buying one of these ProSafe Plus switches, but perhaps won't if their support attitude is so poor :-) ] Thanks, Nick Boyce _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
