Netgear recently issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws.
Twenty of the patches address “high” vulnerability issues with the remaining 30 scored as “medium” security risks. Netgear posted advisories for the bugs to its website over the last two weeks.
Network security firm Beyond Security is credited by Netgear for discovering several of the vulnerabilities patched last week. One of the issues was a command injection vulnerability in the ReadyNAS Surveillance Application running on versions prior to 1.4.3-17 (x86) and 1.1.4-7 (ARM). A command injection attack can execute arbitrary commands on host operating systems via vulnerable applications that facilitate the passing of unsafe user supplied data (forms, cookies, HTTP headers) to a system shell.
“These are all vulnerabilities caused by what appears to be inadequate verification of user input, oversight on what should and should not require authentication, and improper mechanism of enforcing security on users accessing their product web interface,” Noam Rathaus, founder and CTO of Beyond Security said. “I believe much of Netgear products share the same codebase and same underlying code structure which is what causing many of their products to be vulnerable.”[…]
To read the original article: