• shoulderoforion
    link
    fedilink
    431 month ago

    I’m a little bit torn on this one, we’re talking 10-15 year old devices here. The number of companies that will continue to produce emergency security patches for their hardware so old and having reached EOL four years ago in 2020 are few and far between. Caveat Emptor most definitely, but if you’re someone who likes to keep their tech running forever, you’re going to need to get creative, when the manufacturer eventually stops patching. For this particular instance, I’d recommend placing the unit behind a vpn on the lan.

    • @Benjaben@lemmy.world
      link
      fedilink
      141 month ago

      Yeah, I mean…what IS “end of life” / “end of support” other than not patching newly found issues, after long enough? Not enough info in the article to indicate any kind of bait and switch or annoyingly short support window, and the support window didn’t end recently either. Seems pretty reasonable TBH.

      Then again it’s a lot of vulnerable devices, and doesn’t sound like too hard of a fix. But for all I know they’ve dismantled their tooling for testing patches on those devices, etc. Would be nice if they addressed it, but I can’t exactly condemn them for not.

      • @2pt_perversion@lemmy.world
        link
        fedilink
        111 month ago

        It looks like they just didn’t neutralize/sanitize controllable input data so it should be a pretty easy fix. I think if a security researcher gives you a layup by identifying an easily fixable vulnerability a company should just take it, even if the product is old. If for no other reason than it’s bad marketing when news articles like this come out.

        • @Benjaben@lemmy.world
          link
          fedilink
          31 month ago

          Yeah, I know what you mean, and yep it looked like just input sanitization on a very specific thing. I don’t disagree, headlines being headlines, and even just broad benefit vs. overall level of effort seems pretty positive to me from an outsider’s perspective.

          But then again, issuing a firmware update is also an implicit guarantee that no (unrelated) functionality will degrade, which really needs a degree of testing in order to be a responsible business decision. And then on the optics side, I can see there being a benefit to a hard line in the sand regarding EOL, vs getting into the weeds of determining on a case by case basis what merits violating their own policy, and all the implications such granular judgment calls would entail (although they and all others probably must do something similar, to some degree).

          Idk, I don’t own much or any of their stuff these days, no real skin in the game, nor do I have any particularly relevant info or opinions on the company. Just rambling lol.

    • @Fizz@lemmy.nz
      link
      fedilink
      11 month ago

      These are storages though. They should last that long. Just by the fact there is still 60,000 in use is enough reason to patch it.