NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
CVE-2017-5521 Web GUI Password Recovery and Exposure Security Vulnerability
Hello everyone, I have read about a recent security flaw in several Netgear products, incuding the R6400 which I have installed in a friend's home.
Netgear seem to have addressed this issue in this knowledge base article: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
The vulnerability has been released on the 17th of January and the Netgear KB article links to several models' firmware pages that are supposed to provide a fix for the respecitve models.
However, the link for the R6400 takes you to firmware version 1.0.1.12 which was released in in November 2016.
Now I am quite confused because this is not the most recent version 1.0.1.18, let alone a firmware that was released after the exposure of the vulnerability mid January 2017.
So my questions are:
Which version is now safe to use, 1.0.1.12, 1.0.1.18 or none of the two?
If 1.0.1.12 is indeed safe to use, what about CVE-2016-6277 which 1.0.1.12 is definitely affected of?
How can a firmware that was released before the discovery of a vulnerability be deemed safe for that very vulnerability?
mett_smoothie wrote:However, the link for the R6400 takes you to firmware version 1.0.1.12 which was released in in November 2016.
It would be interesting to know where you found that link.
Netgear seem to have addressed this issue in this knowledge base article: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
That's a different issue.
Did you tell the router to go and look for a firmware update? That's usually the best tactic for firmware that is out of beta testing.
The support page for this device:
R6400 | Product | Support | NETGEAR
It offers Firmware Version 1.0.1.18.
The vulnerability has been released on the 17th of January ..
Unless there is something new, that date is seriously wrong and Netgear fixed the original issue weeks before that. Maybe the NVD has been too busy spying on the Donald.
Didn't you get an email about the update? It went out to registered owners some weeks ago,
Try this:
Security Advisory for VU 582384, PSV-2016-0245 | Answer | NETGEAR Support
That list the R6400 and tells you how to mend it.
Good luck with fixing the problem.It doesn't take long.
The good news is that yet it seems to have been hypothetical, with no reports of anything happening out in the real world.
2 Replies
mett_smoothie wrote:However, the link for the R6400 takes you to firmware version 1.0.1.12 which was released in in November 2016.
It would be interesting to know where you found that link.
Netgear seem to have addressed this issue in this knowledge base article: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
That's a different issue.
Did you tell the router to go and look for a firmware update? That's usually the best tactic for firmware that is out of beta testing.
The support page for this device:
R6400 | Product | Support | NETGEAR
It offers Firmware Version 1.0.1.18.
The vulnerability has been released on the 17th of January ..
Unless there is something new, that date is seriously wrong and Netgear fixed the original issue weeks before that. Maybe the NVD has been too busy spying on the Donald.
Didn't you get an email about the update? It went out to registered owners some weeks ago,
Try this:
Security Advisory for VU 582384, PSV-2016-0245 | Answer | NETGEAR Support
That list the R6400 and tells you how to mend it.
Good luck with fixing the problem.It doesn't take long.
The good news is that yet it seems to have been hypothetical, with no reports of anything happening out in the real world.
michaelkenward wrote:Unless there is something new, that date is seriously wrong and Netgear fixed the original issue weeks before that.
I did some digging around and what can I say: You are right. :smileyembarrassed:
I should have looked at the Netgear article IDs numbers. It wasn't fixed some weeks ago, but in fact some MONTHS ago, at least for the R6400.
The original issue actually dates back to June 2016: https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability/m-p/1104237#M34308
In the thread above, there is a link to the very KB article I refered to: http://kb.netgear.com/000030632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
What confused me is that the NVD post created mid January refers to this very KB article (ID 30632) which led me to believe that this was a recent issue for the R6400. The last update date of the KB article (20th January) probably contributed to my misconception.
The KB article you suggested me (ID 36386) was in fact the most recent vulnerability and that has been patched with 1.0.1.18 (which I installed as soon as it was released).
I don't know why they released a new CVE for an issue that is actually six months old. My guess is Netgear discovered the same issue in other models and sent out a new warning to the authorities which led them to create a new CVE that linked to the original KB article.
Maybe Netgear could also post the original post date next to the last update date, that would have clarified everything from the beginning.
Well, I'm just glad that my friend's router seems to be safe for now, thank you for your answer :smileyhappy:
TL;DR: 36386 > 30632