NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

GWild's avatar
GWild
Guide
Mar 01, 2021
Solved

RBS750 vs PSV-2020-0432

re: https://kb.netgear.com/000062820/Security-Advisory-for-Stack-based-Buffer-Overflow-Remote-Code-Execution-Vulnerability-on-Some-Routers-PSV-2020-0432

 

That latest 2021/01/21 Security bulletin states the RBS750 is susceptable to the hack if firmware is equal to or lower than 

  • RBS40V running firmware versions prior to 2.6.2.4
  • RBS750 running firmware versions prior to 3.2.17.12
  • RBS850 running firmware versions prior to 3.2.17.12
  • ...

Yet, the latest firmware found in the "Update" logs is 

Check for new version from the Internet.	[Check]
Status:
Model Name	Device Name	Current FW	Status
Router		CBR750	CBR750	V3.2.16.18	No New Firmware Available
Satellite	RBS750	Orbi..	V3.2.16.22	No New Firmware Available

And what is worse, is that in grabbing this information I just found out my 'upgrade' to the CBR750 firmware showed failed days AFTER is succeeded (yes, I even posted a grab of the update page and posted it in another thread days ago). But then, wait for it, the router is having DNS issues, and even it's internal check for updates is failing... lmao.

 

So back to the fact the advisory that lists firmware that is later than what the updater finds - this seems to be routine for Netgear - as it just happened on my CBR40, too.

 

 

 

So the latest available to me is: 

https://www.netgear.com/support/product/CBK752.aspx#download

  • Current Versions
  • CBR750 (Orbi Cable Router) Firmware Version 3.2.16.18
  • RBS750 (Orbi Satellite) Firmware Version 3.2.16.6
  •  

 

It seems after some digging there are TWO RBS750 models. Not exactly a smart naming convention Netgear. One is for the RBR750/RBS750 pair, and a different model for the CBR750/RBS750 pair. Whoever is writing these security bulletins should probably be told this fact.

 

  • GWild's avatar
    GWild
    Mar 12, 2021

    CBK752 Kit returned for full refund. Problem solved.

30 Replies

    • FURRYe38's avatar
      FURRYe38
      Guru
      Mar 04, 2021

      The RBS750 model is used with the CBK750 and the RBR750 kits. There the same RBS models 

      • GWild's avatar
        GWild
        Guide
        Mar 04, 2021

        Then why are there THREE 'latest firmware' releases? And which one is really the latest?

         

        My RBS750 satellite has V3.2.16.22 installed and reports this is the latest available.

        The Orbi CBK752 page shows a latest RBS750 (Orbi Satellite) Firmware Version 3.2.16.6 (older than installed?).

        The Security notice says the RBS750 is vulnerable if the RBS750 is running firmware versions prior to 3.2.17.12.

         

        So where do I get V3.2.17.12 ???

         

        And - if I download the version you link for the standalone RBS750, the update fails because the file is for the wrong version of RBS750. I must use the CBK752 download page to get the correct version for my RBS750 from

        https://www.netgear.com/support/product/cbk752.aspx#download

         

        I'm thinking Netgear has no web master to maintain order, and teams change pages willy-nilly... lol.

         

        ps: if I log into the RBS750 via the CBR750 and try using the system firmware updater, it fails: if I direct connect to the RBS750 with a cable, it will accept the 3.2.17.12 version found above. So even their mesh updater is broken.

         

        pps: Now, I wonder when they plan to update the CBR750 to fix the vulnerability. It has the same basics as the RBR750, only with a cable modem stuck on the WAN side of the router.

  • GWild's avatar
    GWild
    Guide
    Mar 12, 2021

    CBK752 Kit returned for full refund. Problem solved.