NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
3v3ntH0riz0n
Dec 09, 2016Apprentice
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
- Dec 12, 2016
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
wawilmsn
Dec 10, 2016Guide
I would assume - yes. You asked for a directory listing, and it gave it to you. The report is, that telnet worked also. I could not think of an easy command to use that would prove a security breach without doing harm. I have gone back and forth with the old and new software a couple of times now, and have made sure that browser cache was cleared each time, and that I was not logged into the router. And, it FAILED every time. That is, even with the older software, the security problem still existed. I got a directory listing with the "ls" command issued.
I will have to try Tomato this afternoon. Or go buy (another) new, expensive router.
GinaGerson
Dec 10, 2016Star
TEmporary solution can be found here.
tl;dr – a quick overview
Here are the three steps (explanation below):
- Open a web browser and visit the following URL:
http://[router-address]/cgi-bin/;telnetd$IFS-p$IFS'12346'
(it’ll look like it’s loading a page, just leave the window open and continue with the next step) - Type the following in a console / terminal window / command prompt:
telnet [router-address] 12346
You will (should) now have BusyBox root access to your router. - Type in the following to terminate the router’s web server process:
killall httpddone!
- SqueakyEyeDec 10, 2016Guide
Thank you for shaing this. I read the article. Accordng to that documentation the fix is only good until you reboot the router.
Also, you are also disabling your ability to log in to the router, until you reboot it.
I wen to my public IP address using this URL and I can see that I am seeing a lot of Javascript. Wow, that is really bad.
- 3v3ntH0riz0nDec 11, 2016Apprentice
Thanks for this. I killed the web service on the router. Is Netgear aware or acknowledging this? I saw another blog post today talking about this exploit.
- alokeprasadDec 11, 2016Mentor
Is X-10 R9000 also affected? Can someone please check?
It is a new product, so ZDNet might not have tested it.
- 3v3ntH0riz0nDec 11, 2016Apprentice
You can test it yourself by using that url.
Login to your router, and find out the ip of it. Then replace the ip with that test url. If you get can't be found or access denied then you are good, if you get anything else, then it's vunerable.
http://[router-address]/cgi-bin/;uname$IFS-a
Link to the article: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/