Associated CVE IDs: None.
NETGEAR is aware of a security vulnerability that can allow an authenticated attacker on the local area network to perform operating system (OS) command injection on a ReadyNAS OS 6 storage system. This vulnerability can only be exploited by an attacker with access to the ReadyNAS storage system’s administrator credentials.
This vulnerability affects the following products:
- All ReadyNAS OS 6 storage systems running ReadyNAS OS 6.6.1 or earlier
NETGEAR fixed this OS command injection vulnerability for all affected products in ReadyNAS OS version 6.6.2. NETGEAR strongly recommends that all affected users download the latest version of ReadyNAS OS 6 as soon as possible. For instructions, see ReadyNAS OS 6: Updating Firmware.
If you already upgraded to ReadyNAS OS 6.6.2 or later, your ReadyNAS storage system is protected from this OS command injection vulnerability and you do not need to take any action.
Disclaimer
The potential for OS command injection remains if you do not update to ReadyNAS OS 6.6.2 or later. NETGEAR is not responsible for any consequences that could have been avoided by updating your firmware as recommended in this notification.
Acknowledgements
None
Common Vulnerability Scoring System
CVSS v3 Rating: Medium
CVSS v3 Score: 6.7
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Contact
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit http://www.netgear.com/about/security/.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
Revision History
6/10/2017 Updated to new template
12/7/2017 Published article
Last Updated:10/06/2017
|
Article ID: 000044333