NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

brise's avatar
brise
Aspirant
May 13, 2019

RBR50 High Risk Vulnerability

Netgear Armor (free trial) has completed a vulnerability assessment on my network and has identified a High Risk vulnerability on the RBR50 router itself. The description is "Basic auth found". Can s...
Eg2020's avatar
Eg2020
Tutor
Aug 07, 2019

I'm getting the same vulnerability message for the RBR50 router. I also get one for my Ecobee thermostat. Unfortunately there is no other detail provided in the report.

schumaku's avatar
schumaku
Guru - Experienced User
Aug 07, 2019

As I wrote above:

 

"Basic Auth is a standard way used to challenge usernames and passwords in a Web browser, on http or https sessions, ... if this code does pop-up in a http page, it's typically considered a major risk - because of the content (realm, username, password) are going over the network without reasonable encryption."

 

Except for the "special case" where the device is the first in the data path (e.g. a wireless extender with mywifiext.net , or a router with myrouterlogin.net , or an Orbi router with orbilogin.net where the device can capture the DNS request and return the LAN IP here is hardly a way to have "clean" https certificate installations on a LAN - without local DNS, without your own domain, ... so it's disputable what is the better choice - non-protected credentials on what should be considered a secure LAN, or even more nasty browser complaints about invalid certificate, .... 

  • Eg2020's avatar
    Eg2020
    Tutor
    Aug 09, 2019

    I get all that. The issue is why is the Netgear Armor that comes with the Orbi router declaring the router itself to be a security risk. If you just go to the url of the router then indeed the basic auth window pops up, so is that it?  

    • MadOverlord's avatar
      MadOverlord
      Initiate
      Aug 09, 2019

      I'm getting this on my new RBR40. There does not seem to be a way to force the router web config to only work through https, and if you do a https connection it works but you get an insecure connection warning (probably there isn't a certificate).

       

      Kind of embarrassing that the first warning you get with BitDefender is about the router itself.

       

      Realistically, since you can only connect to the router from inside the network, the only devices that could snoop the unencrypted http traffic are those already connected to your network.

      • Orbi-Roc's avatar
        Orbi-Roc
        Luminary
        Aug 10, 2019

        Hi MadOverlord .

        MadOverlord wrote:

        "Realistically, since you can only connect to the router from inside the network, the only devices that could snoop the unencrypted http traffic are those already connected to your network."

         

        So if your network access password is weak and 'access control' functionality not enabled on your router, you don't think that someone parked in front of your house can access and connect to your network?