NETGEAR ReadyNAS

[claykin]

Netgear upgraded V4.3.4 to use Java 7, but they chose to use Java 7 update 0. Oracle is up to Java 7 update 2. Update 0 is prone to the exact same vulnerabilities as Java 6 update 26.

Notified the RAIDar maintainer.

You rock!

[zeph]

It's been more than a month since RAIDar maintainer was notified .... any update on when the exploitable version of Java will be replaced by the latest secure version?

[claykin]

Seems to be low priority for Netgear. Sad.

To workaround.

1) Go to c:\Program Files\NETGEAR ReadyNAS\jre\bin. Cut contents of folder. Paste to a new directory called bin_old
1) Go to c:\Program Files\Java\jre7\bin. Copy contents of folder.
2) Go to c:\Program Files\NETGEAR ReadyNAS\jre\bin. Paste contents.

You'll have the latest Java 7 provided you have already upgraded your Java 7 to latest version.

[zeph]

claykin,

Thanks for the info.

I agree ... it is sad that Netgear has not upgraded RAIDar to a newer and (more importantly) less exploitable version of Java.

I'm running W7 64-bit, so I translated the folder names in your post to c:\Program Files (x86)\...



Unfortunately, on my PC (Java Version 6 Update 31) the contents of c:\Program Files (x86)\NETGEAR ReadyNAS\jre\bin are not quite the same as the contents of c:\Program Files (x86)\Java\jre7\bin ... so I'll hold off on your suggested workaround and hope that in the near future Netgear releases a new version of RAIDar that contains a newer (and less exploitable) version of Java.

I wonder why Netgear even includes Java files in their release of RAIDar .... why not just require the end user to have Java installed and let RAIDar use the version of Java found in c:\Program Files on the users computer. In that way, the end user could take responsibility for keeping Java up to date and not worry about having a down-level version of Java imbedded within RAIDar's folders.

[claykin]

Netgear is using JRE7.x for RAIDar. You may be able to substitute JRE6.x into the Program Files (x86)\NETGEAR ReadyNAS\jre\bin folder.

I believe Netgear includes Java due to their being so many versions of Java JRE and many users not being up to date. Plus, sometimes Oracle will "upgrade" features and at the same time break things working for Java apps. This way if Netgear looks in their own jre directory, they have a higher likelihood of the app running successfully.

Personally, I say re-write RAIDar not using Java.

claykin,

Thanks for the info.

I agree ... it is sad that Netgear has not upgraded RAIDar to a newer and (more importantly) less exploitable version of Java.

I'm running W7 64-bit, so I translated the folder names in your post to c:\Program Files (x86)\...



Unfortunately, on my PC (Java Version 6 Update 31) the contents of c:\Program Files (x86)\NETGEAR ReadyNAS\jre\bin are not quite the same as the contents of c:\Program Files (x86)\Java\jre7\bin ... so I'll hold off on your suggested workaround and hope that in the near future Netgear releases a new version of RAIDar that contains a newer (and less exploitable) version of Java.

I wonder why Netgear even includes Java files in their release of RAIDar .... why not just require the end user to have Java installed and let RAIDar use the version of Java found in c:\Program Files on the users computer. In that way, the end user could take responsibility for keeping Java up to date and not worry about having a down-level version of Java imbedded within RAIDar's folders.

[chirpa]

Personally, I say re-write RAIDar not using Java.

I've been fighting for that for years, haven't seen any movement in that (right) direction yet

With the latest 0-day JRE exploits, I'd be even more concerned with it bundling the old versions still. It needs to be decoupled from a bundled version, using a system-wide JRE, or download on demand. Painful too when the Windows RAIDar is 20MB, but Mac version is 500KB heh.

[chirpa]

Qui-Gon Jinn, when are you going to address these long outstanding issues?

[chirpa]

Another week, another JRE exploit that requires updating.

Any plans to remove JRE from the RAIDar bundle so an old problematic JRE isn't loaded on peoples systems?

http://www.oracle.com/technetwork/topic ... 15924.html
http://www.oracle.com/technetwork/java/ ... 63279.html

[chirpa]

oh hai, more JRE issues; http://isc.sans.edu/diary.html?storyid=14428

[IanSav]

Hi Chirpa,

Can we ask (beg) you to come out of retirement so that you can get back into Netgear and kick some a** (butt). Netgear has completely dropped the ball with the NAS product line. There is so much outstanding to be completed and fixed yet nothing is happening in reasonable time frames.

Do you have any access to Netgear management to offer a swift boot to an appropriate region to prompt for some action for all us users?

Regards,
Ian.

[chirpa]

I tried to kick some butt while I was there, sadly it did not go anywhere, which was part of the reason I decided to leave.

[IanSav]

Hi Chirpa,

That is so sad to hear. Given the tight team that the Jedis used to be then perhaps this may also explain Yoh-dah's departure as well. This must be so painful for you guys. All the good will you guys worked to hard to build up being thrown away so readily.

Doesn't Netgear see that they are killing the reason why so many of us came to Netgear (from Infrant)? This is such a shame.

Thank you for keeping us informed.

Regards,
Ian.

[chirpa]

Yoh-dah was what kept me around near the end. When he departed, I decided it was my time as well.

[Campus]

Where is the point in updating the Raidar JRE? It's only executed inside the Raidar process which does not load any external code which could attack the local system. AFAIK these security updates therefore are irrelevant for Raidar.

[chirpa]

Besides the attack vector, some agencies have strick policies on software. If there are known security holes, they cannot install/operate that software. So as long as NTGR is okay with people unable to use RAIDar, this can continue.

The issue goes beyond just out of date JRE. NTGR is not showing any signs of caring about the quality of software it releases.