NETGEAR is aware of a security issue that can allow an attacker to use Cross-Site Request Forgery (CSRF) to gain administrator privileges and execute commands on a ReadyNAS Surveillance system. The attacker can potentially gain control of the system. This vulnerability can only be exploited from within the local area network (LAN).
This vulnerability affects the following applications:
- ReadyNAS Surveillance 1.4.3-15 or earlier (x86)
- ReadyNAS Surveillance 1.1.4-5 or earlier (ARM)
New releases of the ReadyNAS Surveillance app, version 1.4.3-16 (x86) and version 1.1.4-6 (ARM), fix this vulnerability. NETGEAR recommends that all users upgrade to the latest version of the ReadyNAS Surveillance app as soon as possible. To install or upgrade to the latest release, visit apps.readynas.com.
To reduce your chances of being affected by CSRF exploits, including the ReadyNAS Surveillance CSRF remote code execution vulnerability, follow the web security recommendations in this knowledge base article: How can I reduce my risk of exposure to CSRF exploits?.
The potential for CSRF remote code execution remains if you do not update the ReadyNAS Surveillance app. NETGEAR is not responsible for any consequences that could have been avoided by updating your ReadyNAS Surveillance app as recommended in this notification.
This vulnerability was reported to NETGEAR by Kacper Szurek (https://security.szurek.pl/).
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit https://bugcrowd.com/netgear.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
For all other issues, visit http://www.netgear.com/about/security/.
Last Updated:09/19/2017
|
Article ID: 000038435