back to article This Netgear SOHO switch has 15 – count 'em! – vulns, which means you need to upgrade the firmware... now

Netgear has released a swathe of security and firmware updates for its JGS516PE Ethernet switch after researchers from NCC Group discovered 15 vulnerabilities in the device – including an unauthenticated remote code execution flaw. The switch is vulnerable to nine high-severity vulns and a further five medium-rated ones, said …

  1. Mike 137 Silver badge

    This is not "consumer" kit

    Netgear used to produce excellent kit. Then we saw a split between commercial and consumer ranges, with the commercial stuff much less prone to bugs. Now that seems to have changed again, as this device is definitely aimed at the business market but obviously can't be trusted at all.

    1. Smirnov

      Re: This is not "consumer" kit

      "Netgear used to produce excellent kit."

      That's not my experience.

      Netgear's business oriented Prosafe product line may be more reliable than it's consumer products but that's not really saying anything. Stability issues (kit becoming flakey after some time of use) is quite common, depending on which of the various HW revisions of each model you get). Routers/firewalls are also underpowered for what they'd need, and the software is buggy as hell.

      And this has been so for the last 20 years. The only positive I can say is that they replace failed kit within the warranty period without much fuss.

      I'm not sure where people get the idea that Netgear was a good brand because it has always been only marginally better than pure crap such as D-Link.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is not "consumer" kit

        Prosafe product line may be more reliable

        For very low values of "more": Many never fixed bugs, official updates that bricked your gear, unresponsive support, and all that. I have bought and used Prosafes for years, but I definitely won't buy anything else from them anymore. How can you trust a buggy firewall?

  2. Dvon of Edzore

    Who else is affected?

    Firmware for such devices is often shared among multiple related products, including those from other vendors, because chipset makers generally provide reference designs and code libraries for the purchasers to brand with their product logos and other user interface customizations. This was seen last year when a broad swath of Netgear home routers were found vulnerable to a common set of vulnerabilities, as cited in the story.

    Searching the CVE database for the similar JGS524PE, one finds four 2020 vulnerabilities shared by the JGS516PE, JGS524PE, JGS524Ev2, and GS116Ev2. Someone having any of these four sibling devices should press Netgear for answers.

  3. heyrick Silver badge

    Hmm, let's see

    Good company that made good products hijacked by bean counters that wanted to push costs down to maximise shareholder profit?

    Something along those lines?

  4. Jean Le PHARMACIEN

    Press vendor for answers...

    Good luck with that.

    Keeping on top of vulns costs money and Netgear seemingly won't spend.

    I used to have several of these models but sold them due to lack of confidence in updates (i.e. none)

    Problem is, whom/which manufacturers who produce good kit can you trust (at a consumer/"pro-sumer" level)?

    1. new4u

      Re: Press vendor for answers...

      I am happy with Draytek equipment - really reactive support, and as far as I understand generally safe products plus relatively good firmware maintenance. Also quick reaction in case there is a general issue - like KRACK.

      1. Jean Le PHARMACIEN

        Re: Press vendor for answers...

        I've had Draytek AP 900s/902s which were good but I lacked the network management appliance (forget the model) so managing via http over a private VPN from 700 miles awsy was a pain...

        Support was good when sn AP902 decided to curl up its 5ghz output - never did get it fixed - just dead even after multiple tftp firmware flashes

        Using Unifi now - mainly because management at distance has been easier, UNC can be on your own hardware and I could run UVC cameras at same location on same hardware (yes. I know, Unifi Protect has complicated this)

        1. Roland6 Silver badge

          Re: Press vendor for answers...

          >I've had Draytek AP 900s/902s which were good but I lacked the network management appliance (forget the model) so managing via http over a private VPN from 700 miles awsy was a pain...

          One of the irritations I have with Draytek is that only their cloud-based ACS (££) gives access to the AP's full parameter set. The AP management on their appliances (39xx, 28xx) only permits basic configuration which isn't really enough for any half reasonable deployments.

          At least for the AP910 (and some of their other appliances) the configuration file is a simple .tgz text file - just need to use the right tools to edit, best to do on Unix/Linux. So it is relatively simple to set up a standard configuration and ship it out.

    2. Smirnov

      Re: Press vendor for answers...

      "Problem is, whom/which manufacturers who produce good kit can you trust (at a consumer/"pro-sumer" level)?"

      There are several alternatives, such as HPE/Aruba (for switches) or Ubiquiti (WiFi, routers, switches).

      For business class WAN routers/firewalls there's also Lancom (a German company that's been around for nearly three decades), which also happens to be the only manufacturer which offers a legally binding no-backdoor guarantee for all its products.

  5. Michael Hoffmann
    Meh

    No, please don't fix anything, Netgear!

    I've been using an undocumented, unauthenticated endpoint for monitoring internals of some Netgear devices for years now. First time I found it, I facepalmed so hard I almost knocked out my own teeth, but then went "oh hey, this is convenient, just gotta keep it far, far away from the Internet".

    (yes, I'm being facetious, but it's still true: it's treasure trove of info in there, so I thought I'd make use of it for my own devices)

    1. St33v
      Thumb Up

      Re: No, please don't fix anything, Netgear!

      Do you mean: copy the url from the pop-up stats window and then curl FTW?

      1. Down not across Silver badge

        Re: No, please don't fix anything, Netgear!

        I used to do that with the old Ambit DOCSIS modem VM were dishing out to collect stats. Never got around doing that on the crappy SH3.

      2. Michael Hoffmann

        Re: No, please don't fix anything, Netgear!

        Yeah, I was wiresharking (none of it is https, natch), watching my username and password in the clear and dug in, and finding most of the info is *still* there even when not authenticated (username, for example, thought the password is masked).

  6. St33v
    Trollface

    Blessed be the Cheesemakers.

    As an associate of the dairy sector*, I'm offended by your hackneyed, lazy and problematic association of Swiss Cheese with poor quality. Please use a cross section of emphysematous tissue to decorate such articles from now on.

    * I Live next to dairy farmers and am constantly amazed by their work rate.

    1. Michael Wojcik Silver badge

      Re: Blessed be the Cheesemakers.

      Agreed. I don't believe I've ever been let down by Swiss cheese, which is more than I can say for, well, anything in IT.

  7. Anonymous South African Coward Silver badge
    Unhappy

    So... who've got an untrusted Exchange server and this switch on their LAN?

    Going to be a very interesting time for that poor sod.

  8. Tessier-Ashpool

    Updates

    Say what you like about BT, but my rock-solid BT Home Hub router gets updated by BT regularly and automatically.

    1. Smirnov

      Re: Updates

      "Say what you like about BT, but my rock-solid BT Home Hub router gets updated by BT regularly and automatically."

      Which says nothing about its security.

      ISPs normally update CPEs (i.e., home routers like yours) only if there's a bug affecting the ISPs network or creating an undue number of support calls. Security updates are generally at the bottom of the priorities list, if it's even on it.

      Besides, that TR069 interface BT uses to manage your home hub presents a security challenge of its own and has in the past been part of several widespread hacks of consumer routers.

      1. Tessier-Ashpool

        Re: Updates

        "ISPs normally update CPEs (i.e., home routers like yours) only if there's a bug affecting the ISPs network or creating an undue number of support calls. Security updates are generally at the bottom of the priorities list, if it's even on it."

        Evidence, please. You are massively generalising by saying "ISPs normally".

        Perhaps someone from BT would care to respond, if they happen to be watching this thread.

    2. gerdesj Silver badge
      Childcatcher

      Re: Updates

      I will say what I like about BT but this is an article about a piece of Netgear kit.

  9. fidodogbreath Silver badge

    "Up to date" in finger quotes

    "Up to date" for consumer / SOHO routers just means "the latest thing the vendor bothered to release." Many of these vendors use ancient (as in 10+ years old) libraries as part of their so-called current firmware. Link is about a TP-Link Archer because it was a good write-up, but Netgear has been shown to use similarly antique Linux bits.

    1. Michael Wojcik Silver badge

      Re: "Up to date" in finger quotes

      Yeah. These things are commodities now, margins are razor-thin, and software is easy to skimp on.

      I think the open-source firmware projects are the only way to go now. Pity it's such a pain figuring out what product to actually purchase in order to have a decent chance of getting something running, since the hardware vendors change what's in the box so often.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021