NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

3v3ntH0riz0n's avatar
3v3ntH0riz0n
Apprentice
Dec 09, 2016
Solved

NETGEAR Routers and CVE-2016-582384 security vulnerability

I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
backdoor
Firmware
injection
R7000
Security
vunerable
  • mdgm-ntgr's avatar
    mdgm-ntgr
    Dec 12, 2016


    NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

     

    We now have beta firmware containing fixes for some affected models.

    We're working hard on fixes for the other affected models and will update the security ticket above soon.

     

    **** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****

     

    To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements. 

     

    Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

     

    NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page.  We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.  When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.

     

    Security Advisory for VU 582384 knowledgebase article.

    NETGEAR Product Security Advisory page.

     

     

SeaSalt's avatar
SeaSalt
Guide
Dec 13, 2016

I flashed the beta firmware on my R6400 in the early hours and after some basic testing it seems the issue has been resolved.

 

I tried 2 different tests, all done in Edge and Firefox.

 

-Running the reboot command directly: Was prompted for credentials

-Running the reboot command in a tab while another had routerlogin.net logged in: Was prompted for credentials once more

 

The fact that a fix had come four months after being reported is still ridiculous, but at least I can now remain on stock firmware without jumping to open source solutions.

climb74's avatar
climb74
Guide
Dec 13, 2016

SeaSalt, I gave up on actual support from netgear and flashed my device with DD-WRT.  At least I get actual support from the OpenSource community...  You would figure that a company who actually makes money on a product would take support of their product more seriously than someone doing the job in their spare time for free... but apparently that is not the case.  I owned the device less than a year and after spending a decent amount of money on it I had to wash my hands of the vendor... talk about disappointing!

  • SeaSalt's avatar
    SeaSalt
    Guide
    Dec 13, 2016

    climb74 I agree, I'm incredibly dissapointed with my purchase. There's a lack of support from Netgear and that is unnerving for the price point of these products.

     

    I tried out the open-source solutions, and though the featureset satisfied me, the throughput for wireless and wired was much lower compared to Netgear's stock firmware. I can't jump ship just yet, at least until the open-source community improves the firmware.

    • GinaGerson's avatar
      GinaGerson
      Star
      Dec 13, 2016

      SeaSalt I installed this on, and I get BETTER speed on 2.4G. On 5G no change but there I already got the maximum speed. Also LAN works very well. So no stock roms for me anymore, also because off the poor design and lack of support.

      • SeaSalt's avatar
        SeaSalt
        Guide
        Dec 13, 2016

        GinaGerson Thank you for the link, I'll definetly test this out on my R7000 later today.

         

        However there doesn't seem to be a similar solution for my R6400, which resides downstairs. My fingers are crossed for more support from other developers!

  • meetloaf's avatar
    meetloaf
    Initiate
    Dec 13, 2016

    Yeah, this is the last Netgear product I'll ever buy.

     

    I save my money to finally buy a nice premium router for my home, and this is the kind of treatment I get?

    • mdgm-ntgr's avatar
      mdgm-ntgr
      NETGEAR Employee Retired
      Dec 13, 2016

      meetloaf we've already released beta firmware for your R7000 with a fix.

      • Gandolph's avatar
        Gandolph
        Star
        Dec 13, 2016

        Netgear has had since August to address this issue and has done nothing.  Anyone still using stock firmware is being foolhardy, Netgear has shown themselves to be inept and uncaring about their exisitng customer base.  Here is the scoop from Toms Hardware;

         

        http://www.tomshardware.com/news/netgear-critical-security-vulnerability-router,33173.html

         

        Again, I recommend to all R7000 customers that they download and install the Asus-Wrt firmware referenced earlier in this thread.