NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

brise's avatar
brise
Aspirant
May 13, 2019

RBR50 High Risk Vulnerability

Netgear Armor (free trial) has completed a vulnerability assessment on my network and has identified a High Risk vulnerability on the RBR50 router itself. The description is "Basic auth found". Can s...
schumaku's avatar
schumaku
Guru - Experienced User
May 17, 2019
brise wrote:

The description is "Basic auth found". Can someone explain that to me and what I should to do fix this?  Basic auth on what? - orbilogin.com??

The description alone as provided is not sufficient - there must be more.

 

Basic Auth is a standard way used to challenge usernames and passwords in a Web browser, on http or https sessions, here is what the Web browser shows:

 


Especially if this code does pop-up in a http page, it's typically considered a major risk - because of the content (realm, username, password) are going over the network without reasonable encryption.


Well this is what happens when so-called security systems are thrown on the wide public - completely unrelated "itt's this" are coming back.

  • Eg2020's avatar
    Eg2020
    Tutor
    Aug 07, 2019

    I'm getting the same vulnerability message for the RBR50 router. I also get one for my Ecobee thermostat. Unfortunately there is no other detail provided in the report.

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Aug 07, 2019

      As I wrote above:

       

      "Basic Auth is a standard way used to challenge usernames and passwords in a Web browser, on http or https sessions, ... if this code does pop-up in a http page, it's typically considered a major risk - because of the content (realm, username, password) are going over the network without reasonable encryption."

       

      Except for the "special case" where the device is the first in the data path (e.g. a wireless extender with mywifiext.net , or a router with myrouterlogin.net , or an Orbi router with orbilogin.net where the device can capture the DNS request and return the LAN IP here is hardly a way to have "clean" https certificate installations on a LAN - without local DNS, without your own domain, ... so it's disputable what is the better choice - non-protected credentials on what should be considered a secure LAN, or even more nasty browser complaints about invalid certificate, .... 

      • Eg2020's avatar
        Eg2020
        Tutor
        Aug 09, 2019

        I get all that. The issue is why is the Netgear Armor that comes with the Orbi router declaring the router itself to be a security risk. If you just go to the url of the router then indeed the basic auth window pops up, so is that it?