NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
Count me in. Just bought this in July, and all Netgear can say is "uh, we know you spent $200 in this, but you shouldn't use it anymore"?
I hope this changes soon
I hope this changes soon
For R7000, there are options... Go here and load this firmware. Easy instructions on top page. Problem solved..
Sure, I could do something like that, but I would suspect that puts me out of support for this router. Not to mention I am one level behind because I don't want to run my arlo base station, my router manages the cameras. Really wish they would keep that going with newer builds. I am hoping that NetGear can add a comment here, saying they are at least aware and working on a fix. I'd rather know that they are going to do something, before putting a different os on the router. But thanks for that link. Question, did you attempt to load that on your router? Are you running that build now?
When you bought the r7000 did it advertise the Arlo option?
Also I used the suggested FW without a problem.
Very difficult if not impossible for 99% of Netgear customers (Costco, Amazon, Wal-Mart, Target shoppers) to comprehend and implement. Vendor solution is needed.
Agree. Especially since there were a lot of discounts on this item since black friday and articles telling consumers its one of the best devices you could buy at the time.
This might be interesting:
Re: Netgear routers found to have critical vulnera... - NETGEAR Communities
Thank you all for your responses. Here's my specific complaints about the Netgear instructions for the security issue:
I clicked on the link for "instructions" that came in the email alerting me to the problem. The first bit of advice was to connect your computer to the router via ethernet cable instead of using a wireless connection. There is no mention of what to do if, like millions of users, your laptop has no ethernet port.
The first numbered bullet advises: "Write down all the settings which you changed from the default values since you may need to re-enter them manually." I have no idea what "default values" are so I went to the next step.
Step number three asks you to log-in to the router. It asks for a user name and password. Up to that point I had never been to the Netgear site and therefore had no user name or passwrod. One of you helpful told me what to use, but why isn't that info on the log-in page. Or more importantly, why doesn't Netgear just log you in since EVERYONE is "admin" and the password is "password"?
Finally, in the "important tips", it advises you that "The upgrade process is completed when the on-screen progress bar completes. If power light LED turns amber and blinking, POWER CYCLE THE ROUTER (caps added) to complete the upgrade." Power cycle the router? What does that even mean? How do you do it?
Perhaps Netgear should have Community members review their proposed "instructions" before they release them to the general public.
Thanks to all of you who responded so quickly.
Jon (JMNB)
JMNB wrote:I clicked on the link for "instructions" that came in the email alerting me to the problem. The first bit of advice was to connect your computer to the router via ethernet cable instead of using a wireless connection. There is no mention of what to do if, like millions of users, your laptop has no ethernet port.
Use the wifi to download a copy of the firmware to your PC. Then go through the update process and pray that nothing goes wrong. Many people happily upgrade using wifi.
JMNB wrote:
The first numbered bullet advises: "Write down all the settings which you changed from the default values since you may need to re-enter them manually." I have no idea what "default values" are so I went to the next step.If you haven't changed anything, you are on the default values, although you will have a saved username and password for your internet login. Keep a record of those details.
But many people don't bother with that process. Many firmware updates do not require a "factory reset" that will wipe out your settings. This one doesn't seem to need it.
JMNB wrote:Step number three asks you to log-in to the router. It asks for a user name and password. Up to that point I had never been to the Netgear site and therefore had no user name or passwrod. One of you helpful told me what to use, but why isn't that info on the log-in page.
When you login to the router you are going nowhere near the internet. That is a local address for your hardware so that you can get in there and configure things and apply the new firmware.
JMNB wrote:
Or more importantly, why doesn't Netgear just log you in since EVERYONE is "admin" and the password is "password"?See above. You aren't logging into Netgear.
Most people change the local password as a security measure so that their neighbours don't get in and wreak havoc.
JMNB wrote:
Power cycle the router? What does that even mean? How do you do it?Good question. It means turn the thing off and on at the mains or using the power switch on the back.
So what is the timeline to a patch? After spending over 200 bucks for a router I expect that the vendor is going to support their product. Fair warning, I will be very vocal about my dissatisfaction if I have to go out and buy a new router. Considering I have an extensive career in Information Security, my voice may carry some weight... The current lack of response is disconcerting to say the least considering that there is an exploit available in the wild.
I would recommend twitter, to voice concern (netgearhelp I think it the tag). We could also post to review sites (amazon.com, newegg, and even netgears site). Use social media, like FB to post reviews or rank the item. This might get their attention. This bug has been known about since Friday, and Netgear has yet to respond. Unacceptable.
There are a number of security sites that garner a lot of attention as well... though a number of them already have this issue in their sights along with mainstream tech sites. ZDNet is just the tip of the proverbial iceberg. I find it odd that the only response from a Netgear representative on their own forum was to attempt to discredit CERT as a source. Calling Carnegie Mellon University's public vulnerability database (CERT) a "third party" is a bit of a stretch... I wonder what sort of agenda they think a reputable university and The Department of Homeland Security are trying to push... I sincerely doubt either "third party" have any vested interest in a Netgear competitor.
That said... I don't know how much weight our threats of going to the media will have anymore now that SlashDot, ComputerWorld, and Network World have gotten a hold of this story. This story has gotten legs, and if Netgear doesn't get ahead of this they are going to be in serious trouble. Personally I will give them two business days at most before I drop support for them entirely and search for a more secure router vendor. Many of us Security Architects work from home. The last thing we need are unsupported border devices with egregious security flaws. The least they should do is provide a workaround as of yesterday!
I got a response from Netgear this morning at 2:39am. They must be working hard to get it resolved. But, the message isn't saying much.
We appreciate you contacting us. Currently we are working on a fix and will get back to you when it’s available. Thanks.
If you have any questions or comments with regard to this information, please contact us at: security@netgear.com.
Sincerely,
Product Security Incident Response Team
Netgear, Inc
kochin wrote:I got a response from Netgear this morning at 2:39am. They must be working hard to get it resolved. But, the message isn't saying much.
Probably means that is from a tech center in India or something ....
