NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ploo's avatar
ploo
Guide
Oct 13, 2018

Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Has anyone else experienced this? I upgraded by Orbi to 2.2.1.210 - everything seemed fine. I have a guest network (with a password) that I leave disabled and only enable when we have a guest. It is ...
Troubleshooting
randomousity's avatar
randomousity
Luminary
Jan 10, 2019

I ust checked and had the same issue, the guest network being enabled with no password, despite the settings showing the guest network was disabled. Since I've never enabled it, there isn't a password set, so that wasn't an issue, but it shouldn't spontaneously enable itself.

 

And, before anyone asks, I've manually loaded the 2.2.1.210 firmware before, following other issues, and I iddn't use the guest network with previous firmware versions, either.

 

I don't live in a very dense area, so it's not terrible, as far as neighbors getting on my network, but still a security issue that should be addressed, especially since the Orbi doesn't fully segment the guest network from the regular private network anyway.

  • ja6a's avatar
    ja6a
    Star
    Jan 12, 2019
    Someone at bugcrowd got back to me. Please can someone help me answer the question: What are the steps to reproduce this bug?
    • User00's avatar
      User00
      Star
      Jan 12, 2019

      The bug seems to be with the satellite not being able to fully get the config changes from the base. Lots of different ways to reproduce and it's worse if the Orbi is in AP mode and something else on the network is acting as the DHCP server. 

       

      If you perform a firmware upgrade, then the satellite will revert to default settings and start Broadcasting the guest network.  It won't get the settings from the base until you perform a physical reset and then initiate a sync.

      If you make a change on the base unit, the satellite does not get the changes (even if it shows as registered on the base unit) - so now you have the base broadcasting the new settings and the satellite broadcasting the old ones.  Once again, you have to hard reset the satellite and re-connect/sync it to the base for the settings to propogate.

      If you are in Router mode - then you might not get an IP address from the base, but you could technically still connect via the satellite and assign yourself a static IP.

       

      Some folks are reporting that a reboot fixes it - but that never worked for me.  I always had to do the hard reset (which sometimes won't work unless you hold the button for 90 full seconds).

       

       

      • ja6a's avatar
        ja6a
        Star
        Jan 12, 2019

        Thank you very much. I have used your text in the report verbatim.