3、部分路由器厂商对研究者提交漏洞重视不足
标题:ZyXEL and Netgear Fail to Patch Seven Security Flaws Affecting Their Routers
作者信息:December 26, 2016 08:40 AM By Catalin Cimpanu
//BEGIN
Router manufacturers such as Netgear and ZyXEL have failed to address seven security flaws reported by security researchers in the last three or more months.
Following unofficial industry standards, the security teams who found these flaws published their findings, so users can take precautionary measures, and decide if they still want to keep using the vulnerable devices, or replace them with more secure equipment.
两个路由器厂家Netgear和ZyXEL被安全研究人员发现了高危的漏洞,导致利用这些漏洞可以远程控制这些路由器,从而危及用户的隐私和安全。
漏洞一共7个,前者3个,后者ZyXEL4个。研究人员报告的时间周期从3个月到4个月不等。但是厂家一直未见响应。
按照“业界通行的漏洞披露潜规则”,安全专家公布了这些漏洞,提醒用户注意防范。同时将决定权交给用户:继续使用还是更换设备。
//END
Vendor response
Probably the most disheartening part of these security flaws is the vendor response the research teams received for their reports. Which was none. We quote Ribeiro and SecuriTeam's disclosure timelines:
We notified ZyXEL of the vulnerabilities back in July 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.
Timeline of disclosure:
26.09.2016: Email sent to NETGEAR (security () netgear com) asking for PGP key, no response.
28.10.2016: Email sent to NETGEAR (security () netgear com) asking for PGP key, no response.
26.11.2016: Disclosed vulnerability to CERT through their web portal.
29.11.2016: Received reply from CERT. They indicated that NETGEAR does not cooperate with them, so they recommended getting CVE numbers from MITRE and releasing
the vulnerability information. Email to MITRE requesting CVE numbers, no response. Email sent to NETGEAR (security () netgear com) asking for PGP key, no response.
20.12.2016: Public disclosure.
这2个厂家对安全人员的报告没有任何响应。于是安全人员决定在等待了3个月+后的12月20日公开漏洞细节。
点评:一言不合就公开?我怎么觉得他们是看不懂英文呢(或者骗子这么多,怎么能确定你说的是对的^^)抑或邮件被规则到垃圾邮箱里了? |