NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

3v3ntH0riz0n's avatar
3v3ntH0riz0n
Apprentice
Dec 09, 2016
Solved

NETGEAR Routers and CVE-2016-582384 security vulnerability

I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
backdoor
Firmware
injection
R7000
Security
vunerable
  • mdgm-ntgr's avatar
    mdgm-ntgr
    Dec 12, 2016


    NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

     

    We now have beta firmware containing fixes for some affected models.

    We're working hard on fixes for the other affected models and will update the security ticket above soon.

     

    **** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****

     

    To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements. 

     

    Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

     

    NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page.  We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.  When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.

     

    Security Advisory for VU 582384 knowledgebase article.

    NETGEAR Product Security Advisory page.

     

     

wawilmsn's avatar
wawilmsn
Guide
Dec 10, 2016

I have the Nighthawk X6 R8000 router and tried the exploit (using the "ls" command).  The router returned a directory listing. I was not logged into the router at the time, and the router requires authentication normally to log in.  So, it seems that the current software on the R8000 is also vulnerable !!!!!

I hate to have to purchase a different router, but don't see how I can continue to use this one.  Hope a new software release will be available soon.

 

  • Coherent_Lite's avatar
    Coherent_Lite
    Guide
    Dec 10, 2016

    I tested the exploit (to the best of my ability) and found that it does not seem to work with firmware version V1.0.3.68_1.1.31 .  The string causes the router to request the admin login and then fails to the "Unauthorized Access" screen.  The command after the semicolon does not appear to be executed.  Unfortunately, I could only test from my local network, so I cannot confirm whether this is a "universal fix".

     

    Although this is an older version of the firmware, it may be a work around while NetGear works up a patch.  I believe that some of the older versions are archived online.

     

    Regardless, be safe.

      • Coherent_Lite's avatar
        Coherent_Lite
        Guide
        Dec 10, 2016

        I have been playing with the proof-of-concept strings a little bit more.  First, I note that the exploit-db website has two different versions: one with a "cgi-bin" directory and the other without.  I tried both with my R7000 running the older firmware (I never upgraded due to issues with the 1.06(?) firmware).  The results are as follows:

         

        Without the "cgi-bin" directory designation, trying both the ls command and the telnet command, the router requests the admin login and then fails to the "Unauthorized access" screen.  The commands do not appear to be executed.

         

        With the "cgi-bin" directory included, the router returns a "Resource Not Found" error, but neither command was executed.  Perhaps a more experienced user might be able to explain this, but it seems to me like the request is being interpreted by the router and then failed due to the directory not being found.  If so, then is it possible that a re-crafted string might work on the older firmware?

         

         

    • wawilmsn's avatar
      wawilmsn
      Guide
      Dec 10, 2016

      My router is at 192.168.1.254.  First, I checked by going to the router web GUI and received the authentication page, since I was not logged in. I wanted to make sure my login was not cached.

      Then, I did exactly what you did. I copied your link with the "ls" in the line, substituting .254 for .1.

      Here is what I got back -- and yes, it is a partial HTML display, but it is a valid and proper response to the ls command -- it gave a directory listing:

      bin
dev
etc
lib
media
mnt
opt
proc
sbin
share
sys
tmp
usr
var
www


      I was using a Chrome browser on a Mac, but that should not matter. Bottom line - at least for me is that it ran the ls command.  

      I am going to try to go back to a previous SW release and hope it works without the flaw.  Otherwise, I will have to try Tomato or DD-WRT, and I really do not want to have to do that and reset everything.

       

      • wawilmsn's avatar
        wawilmsn
        Guide
        Dec 10, 2016

        SUCCESS! ! !

        At least for the R8000 router.

        I downgraded to V1.0.2.46_1.0.97, which is the most recent non-current version.  The downgrade with flawlessly -- no problems at all. I did not loose any settings, so all seems to be working.  I tried the exploit and it did not work.  Like others have reported (after making sure I was logged out of the router), it returned a page saying I was not authorized.

         

        I hope Netgear will provide a new software update for the router. I do not like running an old version -- I feel like there were probably some problems that were fixed in the newer version, but the newer version has an extremely dangerous flaw.

         

        Someone mentioned connecting via the internet (WAN) side vs the LAN or home side.  The PROBLEM is, that your web browser AT HOME, within your LAN could go to a web page, even on a well known site that has a link on a picture (or like within an ad) that has that command embeded.  You do not have to type it in to the top line. It can be an embeded link, and it will run the link and affect the router.


        But -- good for now -- or at least, I feel safer.