NETGEAR is aware of the security issue that allows unauthenticated web pages to pass form input directly to the command-line interface. A remote attacker can potentially inject arbitrary commands which are then executed by the system.
This is a software vulnerability that affects only certain NETGEAR devices:
- WN604 Wireless N-150 Access Point
- WN802Tv2 Wireless-N Access Point
- WNAP210v2 ProSAFE Wireless-N Access Point
- WNAP320 ProSAFE Wireless-N Access Point
- WNDAP350 ProSAFE Dual Band Wireless-N Access Point
- WNDAP360 ProSAFE Dual Band Wireless-N Access Point
- WNDAP660 ProSAFE Dual Band Wireless-N Access Point
NETGEAR strongly recommends updating the firmware on your device with the latest version to prevent the issue.
You can download the latest firmware version using the following links:
The versions listed in the table address the vulnerability issues and contain measures to prevent command line injection. Using command line injection, an attacker is allowed to run commands on the device without knowing the username and password. The potential for command line injection remains if operating a version lower than those listed on the table and not updating the firmware. NETGEAR is not responsible for any consequences that could have been avoided by upgrading the firmware as stated in this notification.
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit https://bugcrowd.com/netgear.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
For all other issues, visit http://www.netgear.com/about/security/.
The security@netgear.com email address is no longer accepting messages and is no longer actively monitored.
Last Updated:01/06/2017
|
Article ID: 30480