Have passed on all relevant info to engineering for their comments. Certainly, we will update the GPL module if any issues or vulnerabilities are found.
IMO good practice is to prevent such stuffs keeping packages up to date, but not to correct them after consumer’s reports (please do not feel any offences, I just want to help NETGEAR
). Please pass to engineering more concrete info regarding issues and vulnerabilities (BTW same of problems exist in firmwares for other NETGEAR routers):
Bugs and vulnerability (all except “1” are
fixed in my build):
1.
/usr/sbin/miniupnpd
Modified (?) version 1.0 (2007, ten years old) is used. Potential vulnerability:
https://www.rapid7.com/db/modules/exploit/linux/upnp/miniupnpd_soap_bof
2.
/etc/init.d/detcable:
“killall /usr/bin/detcable” should be changed to “killall detcable”
3.
/etc/init.d/powerctl:
Code:
echo "1400000" > /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed
echo "1400000" > /sys/devices/system/cpu/cpu1/cpufreq/scaling_setspeed
should be changed to:
Code:
echo "1725000" > /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed
echo "1725000" > /sys/devices/system/cpu/cpu1/cpufreq/scaling_setspeed
(IPQ8065 CPU frequency is 1.7, but not 1.4)
4.
/etc/init.d/samba and
/usr/config:
Lack of files “lowcase.dat upcase.dat valid.dat” in /usr/config, also they should be copied to generated samba directory (/etc/samba == /tmp/samba) by /etc/init.d/samba init file.
5.
/usr/sbin/wget_netgear:
This script tries to run /usr/bin/wget. There is no wget file in /usr/bin. It is in /usr/sbin. So this script does not work.
6.
/bin/fbwifi:
Compiled with OpenSSL 0.9.8, i.e. it depends on libssl.so.0.9.8 and libcrypto.so.0.9.8. At the same time there are no such libraries in firmware, because OpenSSL 1.0.2h is used. I.e. program is not workable in the stock firmware.
7. The same
OpenSSL 1.0.2h (May 2016) is used in firmware: current version is 1.0.2k, several bugs/security fixes since 1.0.2.h (vulnerability):
(CVE-2016-6304)
(CVE-2016-2183)
(CVE-2016-6303)
(CVE-2016-6302)
(CVE-2016-2182)
(CVE-2016-2180)
(CVE-2016-2177)
(CVE-2016-2178)
(CVE-2016-2179)
(CVE-2016-2181)
(CVE-2016-6306)
(CVE-2016-7052)
(CVE-2016-7055)
(CVE-2017-3732)
(CVE-2017-3731)
https://www.openssl.org/news/openssl-1.0.2-notes.html
Also no ASM acceleration is used (performance degradation).
8.
Transmission 2.76 is used in firmware for
NETGEAR Downloader. Current version is 2.92 (used in my build). Potential vulnerability of 2.76:
https://www.cvedetails.com/vulnerab...-169589/Transmissionbt-Transmission-2.76.html
9.
cyassl 1.6.5 is used in firmware for https (e.g. to access router WebGUI or user’s files from USB disk/flash stick from Internet. Security Vulnerabilities:
http://www.cvedetails.com/vulnerabi...&sha=4522f7435c58177f6fa5113d50e7cbf6b31f2d60
CVE-2014-2900
CVE-2014-2899
CVE-2013-1623
CVE-2012-1558
Removed at all from my build. OpenSSL is used instead for https.
10. The same OpenSSL. Bugs in GPL source codes:
git_home/ qca-hostap.git
Binary modules are compiled using OpenSSL 0.9.8, i.e. they depend on libssl.so.0.9.8 and libcrypto.so.0.9.8. At the same time there are no such libraries (v. 0.9.8) in firmware, because OpenSSL 1.0.2h is used. I.e. programs are not workable after GPL compilation.
11. Bug in GPL source codes:
package/fcgi
Missing patch 120-stdio.patch. As a result streambost is not workable after GPL compilation.
12.
/usr/sbin/openvpn:
Version 2.3.2 is used. Current version is 2.4.1 (or at least 2.3.14). List of bug fixes (potential vulnerability) for 2.3.x:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
13. GPL source codes:
configs/defconfig:
Option for compilation -mfpu=vfpv3-d16 is used. At the same time IPQ806x supports VFPV4 (performance degradation).
14. A lot of scripts in firmware cannot be run (644 mask instead of 755). I am not sure that all of them are needed, but anyway…
Etc. And there should be a lot of other corrected in more fresh versions of packages, too much to list here.
Voxel.
