NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
pjsand wrote:Following the instructions after downloading the zip file.
Did you unzip the zip file?
You don't say which device you want to flash, but most of the firmware is now officially released. So you should be able to tell the modem/router to go get it without having to retrieve the file.
Sorry, I can't be more precise than that because I don't know what hardware you need to update.
Remember, not all Netgear devices are vulnerable to this security hole.
If you find the manual on the support site it will also have the instructions you need.
That's what was missing in their instructions. Once I unzipped the file I could complete the fix. Thanks for your quick response
The instructions with the updated firmware for the R7000 include item number 2:
2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.7.6_1.1.99.chk
Kitsap wrote:2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.7.6_1.1.99.chk
True, but remember that not everyone understands what extract means. Why should they?
Perhaps the instructions should have said "extract (unzip)".
These days you wonder why they zip things when they contain only one file. It isn't as if bandwidth is an issue any more.
michaelkenward wrote:
Kitsap wrote:2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.7.6_1.1.99.chk
True, but remember that not everyone understands what extract means. Why should they?
Perhaps the instructions should have said "extract (unzip)".
These days you wonder why they zip things when they contain only one file. It isn't as if bandwidth is an issue any more.
Well, not to insult anyone, there are other reasons for doing that (compressing the d/l file) possibly. One would be to save space on the servers. Also make it easier to handle umpteen requests as smaller files mean faster delivery for everyone. Also they probably use a single set of instructions from a template and just change the filename(s). Some might include a README file or even more than one file. Less chance of error that way.
As for one not know what 'extract' means, I get that. In this case one could ask or Google it, not hard to figure out? If one doesn't understand 'extract' would they understand 'unzip'?
If one knew how to set-up a router and the knowledge to do that they probably wouldn't be first time users of a PC either? If they do the setup of the router then someone else did? That person should have done the upgrade I would think?
Again, not trying to upset or insult anyone here, just my $0.02 worth on why it might be both compressed and detailed on what to do. Pjsand never mentions which Router the file was for either, and was told by you to 'unzip' the file and did that and it worked. It is possible that set of instructions is NOT in the d/l that was used?
I see nothing wrong with compressing d/l files (by anyone).
IrvSp wrote:Well, not to insult anyone, there are other reasons for doing that (compressing the d/l file) possibly. One would be to save space on the servers. Also make it easier to handle umpteen requests as smaller files mean faster delivery for everyone.
The compression of a firmware file is minimal. A few percent, if that. Sometimes nothing. (I've just checked a handful.) Certainly not enough to make any difference to storage space of serving multiple requests. In any case, the update server holds an uncompressed file for routers to update themselves. So Netgear has to hold two copies of the thing.
IrvSp wrote:
Some might include a README file or even more than one file.That's why I said "when they contain only one file".
We are getting off topic, though fortunately pjsand's problem is solved.
michaelkenward wrote:
The compression of a firmware file is minimal.
True enough, particularly for router firmware. I think a more important advantage of the zip format is that it has a built-in integrity check. If the download is corrupted, the extraction fails.
michaelkenward wrote:
In any case, the update server holds an uncompressed file for routers to update themselves. So Netgear has to hold two copies of the thing.The update server isn't the same server as the one used for manual downloads (at least that is the case with ReadyNAS firmware).
There is one other reason for using zips. It can allow files to get around some security hurdles.
What's important for all to remember, most of us are not IT literate and take instructions literally. I am 60+ and most in my peer group would look for a younger friend to assist with tasks like this. Once I was told through a great response to unzip the file I could easily complete the update. It took me 3 to 4 times longer just to find this valuable site for asking & sharing ideas. Initial instructions need to factor in their audience and 90%+ of the purchasers of this type of hardware are not IT literate. My thanks to you all for your assistance in resolving my issue....pjsand
pjsand wrote:I am 60+ and most in my peer group would look for a younger friend to assist with tasks like this.
In this case, some of the people who have been throwing around their advice, well, at least one of them, is 70+. (I can even help people with putting a ribbon in a typewriter.) But it sure is important to communicate using language that everyone can understand.
In the case of this firmware update, telling people how to deal with zipped files really only applied when users wanted to use the beta versions. Applying the final release didn't need that.
At least these days you don't need software to unzip files. The operating system does that.
