Sign in / up

back to article No patches for code exec holes in Netgear management box

Two dangerous un-patched remote code execution vulnerabilities that allow access to God-mode system privileges have been reported in Netgear's ProSafe Network Management 300 management software. The file upload vulnerability (CVE-2016-1524) and restricted directory traversal (CVE-2016-1525) allow unauthenticated attackers to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Notas Badoff

    Tick-tock

    Ah, found here, the most important thing to me: "Date Notified: 04 Dec 2015". No mention of the problem or the 'mitigation' from the vendor after 2 months?

    Anybody know of a site where vendors are rated by response time?

    1 0 Reply
    1. allthecoolshortnamesweretaken
      Reply Icon

      Re: Tick-tock

      "Anybody know of a site where vendors are rated by response time?"

      Domino's?

      3 0 Reply
  2. Anonymous Coward
    Mushroom

    An intuitive web-based user interface?

    Is it wise using a web server/client browser to control a security device? This being a big selling point, everything has to be browser based, perish the thought someone would have to read the RFC. Now where do I click to control my fusion reactor, whoops, error in java applet, meltdown in twenty seconds ...

    "NMS300 Software Release 1.5.0.11"

    http://kb.netgear.com/app/answers/detail/a_id/30208

    3 0 Reply
    1. A Non e-mouse Silver badge
      Reply Icon

      Re: An intuitive web-based user interface?

      Is it wise using a web server/client browser to control a security device?

      If the embedded web server software is designed and written correctly, then there's no problem.

      If you don't use a browser, you'll be using some kind of app to do the same thing, which, really, isn't that much different in terms of security.

      The only way to completely avoid this, is to physically connect to the device (e.g. serial port) But that has proven to be consumer unfriendly.

      0 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: An intuitive web-based user interface?

        No, the whole web stack is pathetically insecure by design, with a lot of attempts to bolt security on it. It was designed for hyperlinked documents, not secure applications. And it was extended by companies with more interest in reaching more users at any price, than in a well designed, secure framework. Especially since it doesn't transfer data only, but also the client application code - and, like in this case, is also far easier to mess with the server application code due to the very generic nature of the web servers used, which usually have an attack surface far larger than needed.

        The use, often, of cheap libraries (and sometimes older version as well) to code this kind of applications doesn't help either.

        After all that's the Unix philosophy - get an existing wrong tool, an hammer, and try to shape it do to something else - badly. Never implement something better and well designed.

        1 1 Reply
        1. CAPS LOCK
          Reply Icon

          "After all that's the Unix philosophy"

          Low quality trolling - must try harder. 0/10.

          1 0 Reply
          1. Fatman
            Reply Icon
            Joke

            Re: "After all that's the Unix philosophy"

            <quote>Low quality trolling - must try harder. 0 -10/10.</quote>

            FTFY!!

            0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like