NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

stefan_eb's avatar
stefan_eb
Tutor
Jul 15, 2019
Solved

Firmware 2.3.5.30 Security Vulnerability?

Hi, I just updated my Orbi RBR50/RBS50 to the new Firmware 2.3.5.30. I am also a subcriber of the Netgear Bitdefender Armor. After the update I got a notification for a potential security risk (see attached screenshot). Is this supposed to happen? Should Netgear do something about it?

NETGEAR Armor

5 Replies

    • stefan_eb's avatar
      stefan_eb
      Tutor
      Jul 26, 2019

      Quick update. Netgear Engineering is aware of this issue and will offer a solution in a firmware update.

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User
        Jul 26, 2019

        Thank you for letting us know. 

        :smileywink:

  • CrimpOn's avatar
    CrimpOn
    Guru - Experienced User
    Jul 15, 2019
    stefan_eb wrote:

    Should Netgear do something about it?

    Ha!  This is SO COOL.  Netgear is ratted out by their own partner.  Using http for the "inside the LAN" router access is a feature of many routers, not just Netgear.  I have never seen an explanation for why they do this, but my own (personal) belief is:

     

    1. People are supposed to use complex passwords on the administrative account.
    2. If someone has physical access to a wired port on the Orbi, then they are "inside the safe" and already can do anything they want.
    3. If someone wants to hack using WiFi, they have to breach the (supposedly) complex WiFi password.
    4. If the owner is paranoid, he can use Access Control to keep anyone from attaching a new device.

    The goofy part is that when "Remote Access" is turned on, that interface is https.  So, they already support a secure web interface.  They just don't use it for internal access.

     

    This is well documented issue that Netgear (and other router makers) seem to think is not a high priority.

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User
      Jul 15, 2019

      I would agree that the LAN side UI may need HTTPS at some point, however not alot of hacking goes on on the LAN side. Though not everyone seems to be proactive in some counter measures, Mfrs may be just waiting for a real need for HTTPS on the routers UI. May involve more than just changing protocols as well. Most routers and APs and such don't use HTTPS for LAN side access. Been like since since the start. Some printers now do though.