On 8 February 2016 at 21:23, I wrote: > > On 27 January 2016 at 15:56, Benedikt Westermann > <benedikt.westerm...@i-sec.tuv.com> wrote: > > > # Multiple Vulnerabilities - Netgear GS105Ev2 > [...] > > Firmware version: 1.3.0.3,1.4.0.2 > [...] > > Status: unfixed > > The Netgear website [1] shows that a new version of the firmware was > released 2 days after your FD post - version 1.4.0.6. > > The release notes [2] for the new version don't refer to these > security issues in any way (instead they mention three fairly > minor-sounding bugs fixed). Have you had a chance to test the new > version yet, and if so can you say whether - despite Netgear's stated > stance of WONTFIX - any of the security issues you report here are > fixed by it ?
JFTR, on 10th.Feb Benedikt replied to me off-list as follows: > thank you for the info. I just checked it, nothing changed. > All exploits still work like charm on 1.4.0.6 :-( Thanks Benedikt. Now that end hosts have been thoroughly analysed by vendors and researchers alike, perhaps networking equipment is the new frontier (cf: operating systems vs applications). The dire state of the quality of the software embedded in comms hardware, for both home and business use, is emerging from the fog to become the elephant in the room. We seem to be caught between the rock of sheer incompetence and the hard place of possible government agency influence (Juniper ...). I wonder whether Netgear will be next (after Asus) to be slapped by the US Federal Trade Commission for foisting badly conceived and implemented CPE products on hapless and unsuspecting consumers .... http://www.theregister.co.uk/2016/02/23/asus_router_flaws_settlement/ Cheers, Nick Boyce _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
