NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

3v3ntH0riz0n's avatar
3v3ntH0riz0n
Apprentice
Dec 09, 2016
Solved

NETGEAR Routers and CVE-2016-582384 security vulnerability

I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
backdoor
Firmware
injection
R7000
Security
vunerable
  • mdgm-ntgr's avatar
    mdgm-ntgr
    Dec 12, 2016


    NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

     

    We now have beta firmware containing fixes for some affected models.

    We're working hard on fixes for the other affected models and will update the security ticket above soon.

     

    **** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****

     

    To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements. 

     

    Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

     

    NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page.  We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.  When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.

     

    Security Advisory for VU 582384 knowledgebase article.

    NETGEAR Product Security Advisory page.

     

     

RSM52's avatar
RSM52
Tutor
Dec 17, 2016

Some further confusion.  I received an e-mail from Netgear yesterday indicating that a fix was available for my router.  I had already installed the beta firmware as soon as that came out. So... I assumed that this e-mail was the permanent fix.  Imagine my surprise when I started to install the new firmware and I was told it was already installed.  So my question is has the beta firmware now become the permanent fix or should I install the new firmware over the beta firmware even though they have the same release numbers?

Unfiltered1's avatar
Unfiltered1
Tutor
Dec 17, 2016

I ran into the same situation RSM52.  I didn't receive an email but I had previously installed the beta release of the firmware and today I rummaged around the Netgear site till I found reference to an apparent new, non beta firmware version.  I downloaded it and during the update process was also notified that I already had the same version installed.  I went ahead and ran the newly downloaded version and everything is working so I guess it didn't break anything.  It shows the same version number as previous so I don't know if this is still the beta version or not.  Seems like Netgear would have changed one of the numbers if it was a new release out of beta.

  • michaelkenward's avatar
    michaelkenward
    Guru - Experienced User
    Dec 17, 2016
    Unfiltered1 wrote:

    Seems like Netgear would have changed one of the numbers if it was a new release out of beta.

     

     

    Indeed. Make that "Netgear should have changed one of the numbers...".

     

    My guess is that they are rushing around like headless chicken trying to pick up the pieces.

     

  • RSM52's avatar
    RSM52
    Tutor
    Dec 17, 2016

    One would think they would.  Thanks for checking in on this.  It would be nice to hear from their moderators if indeed they are the same or not.

    • IrvSp's avatar
      IrvSp
      Master
      Dec 17, 2016

      Not 100% sure that they change release numbers from a Beta to an Official release? I don't recall it happening before other than to basically change content?

       

      Since this was 'supposedly' a single fix (admittedly with a large jump in release number) I would have expected a fast path through Beta and QA testing. More than likely built the code on the last official release and just added the require code for the Security fix. I'll also assume the large jump in release version was due to the work that had been going on from the last Official release and internal builds with new fixes and additions. They will probably now merge the Security fix into the code just before this one and continue working towards a new Beta?