NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
You did read part of the Engadget link fully right?
=======
The good news? Netgear has been diligent about patching the security hole. As of the report, 19 models (plus a cable modem) already have firmware updates that will fix the flaws.
=======
The link above in the part I copied was to "Web GUI Password Recovery and Exposure Security Vulnerability" which was updated on 1/27/17 before your links were created.
To me it seems they did 'listen' and did take pro-active action?
Well, that's your opinion about it, I can respect that.
They have listen it too late now that Netgear is on all front pages for the worst motives, this point could be avoided with back then actions, check how much time it took for them to simply upgrade a OpenSSL version:
Now they are simply forced to quick fix things in order to not stain Netgear's name even more.
Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?
When something gets reported to them the first thing that needs to be done is verify it is a real threat. Determine the scope of it too. Then formulate a fix, for every instance of that, and then create and test the fix, run QA (ensure it didn't cause regressions, that is break something else), and finally release it.
Note the date the page I referenced was updated last, 1/27 (don't know prior update date nor content change though), and the dates of the URL references you posted. Those were release a few days AFTER NG made the page update.
Also note the list of routers on that NG page. I can only speak for the R7000, but its last F/W release (which according to the LINK says it was fixed on the R7000) was on 12/16/2016. So over 1 1/2 months ago the R7000 had that vulnerability fixed.
To me that makes your argument sort of weak.
But let us switch gears here. What about MicroSoft? Many more vulnerabilities affecting many more systems. Do they cover them all INSTANTLY? Nope, they take time to get them out. They also do NOT announce the full extent of most of the vulnerabilities either so they are not publically known so 'bad guys' can make use of them.
Even with NG making the fixes, just what percentage of all NG Routers do you think will first of all update the firmware or make suggested protection changes? I'd think a good percentage will not.
You can audit/read the code ALL you want. Unless you know what the 'hole' could be and how it could be exploited you may never see it. Yes, some people might, but many coders will not. That is why exploits exist. It is a 'fact' of software coding.
Even MS doesn't respond instantly to all threats.
Some MS URL's about threats:
https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
Note on the above, they say UPGRADE to W10... what about older versions of the OS?
https://www.microsoft.com/security/portal/enterprise/threatreports_december_2015.aspx
Note on the above, dated 11/2/16, but the fix will not be out until 11/8/16 and roll-out is not immediate to everyone.
By the way, most of those reference 'zero-day attacks'. Do you know what they are? Those are NEW attacks not seen before and using previously unknown holes/weaknesses in the code. No code is immune to these.
Doesn't Microsoft code bother you more than the router firmware code? It doesn't seem like it to me.
Why are you targeting NG? Others have problems too or had them:
http://routersecurity.org/bugs.php
Next is an OLD one but it shows NG isn't alone with problems:
I'm just trying to figure out why you think NG didn't respond and are the lone router mfgr. with these types of problems?
Seriously? Obviously you are not getting the message...
Any manufacturer is subject to have have vulnerabilities on they're products, no exceptions, but when you see a company like Netgear using critical software components with almost 12 years old (OpenSSL 0.9.7f 22 March 2005) with legions of well known security flaws (CVE's) at public realm on all their products including the latest ones anyone already can see what kind of security concerns exist from their part, and still taking several months to address them...
It shouldn't be the end-user / client reporting this issues, don't they have eyes to see it after 12 years? Or maybe they development team doesn't know about it? Don't they see the https://cve.mitre.org/ or other online news? That's quite hillarious.
I'm not targetting expecifically Netgear, there's also other similar situations happening on manufacturers like D-Link, TP-Link, etc.
I'm simply reporting a real fact which should be shared and known to the general public before deciding to purchase their products, these kind of critical reporting is important and only makes company's better not worse, unfortunatelly not everyone can understand it that way.
I suggest you to keep supporting Netgear that way since you are quite happy with their products / support, they really apreciate it.
IrvSp wrote:Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?
In this case, Netgear has admitted that it took the eye off the ball.
It did receive an approach from someone who first spotted the vulnerability, but the approach seems to have been a one off email to an address at Netgear that may have ended up in the spam bin.
When the person who discovered the flaw made it public, it was all hands to the pumps at Netgear, with beta releases of new firmware pushed out widely within days.
There then followed emailings to people who had registered their hardware
There are blow by blow accounts of this sequence on this board.
Some people turned up here weeks, sometimes months, after the flap complaining – not always in language that it is easy to understand – about crimes against humanity, only to be pointed to the solutions.
michaelkenward wrote:
IrvSp wrote:Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?
In this case, Netgear has admitted that it took the eye off the ball.
It did receive an approach from someone who first spotted the vulnerability, but the approach seems to have been a one off email to an address at Netgear that may have ended up in the spam bin.
When the person who discovered the flaw made it public, it was all hands to the pumps at Netgear, with beta releases of new firmware pushed out widely within days.
There then followed emailings to people who had registered their hardware
There are blow by blow accounts of this sequence on this board.
Some people turned up here weeks, sometimes months, after the flap complaining – not always in language that it is easy to understand – about crimes against humanity, only to be pointed to the solutions.
Yes, and in this case it seems the reports on other site from 1/30 and later seems to have triggered the posting. That or the poster was using those 'reports' as if it just happened.
It just seems as if the person claiming NG is not doing its job refuses to accept they did once they had the information?
I don't support everything NG did/does. I am NOT a 'fanboy' of them. I use thier products and I'm happy with it. I've had LinkSys, ASUS, and even TP-Link as well. I'm not unhappy with them either, just I have NG now. I purchase on need and capability, not brand.
IrvSp wrote:It just seems as if the person claiming NG is not doing its job refuses to accept they did once they had the information?
He, I assume, is not alone, there have been other latecomers to the bandwagon. But most of them give up when they discover what has gone on.
One problem has been the number of people who turned up asking about hardware that was not on the vulnerability list. (There is a simple test you can use to see if you are vulnerable.)
Then there was the "false positive", the D7000 I think, that was on the original list, only to prove immune to the exploit.
I must ask, I'm interested on getting several Netgear products GPL code.
R7000R7500R8000R8500etc...What happened to the Netgear GPL repository files available back then?Was it replaced by this?"If you would like a copy of the GPL source code contained in this product shipped to you on a USB Flash Drive for a charge of $20, which is no more than the cost of preparing and shipping the USB Flash Drive to you, please contact opensourcesw@netgear.com"?!!?!?!?!?!!?Even if you send an email to this address it will be refused, reporting that your email address it's not accepted / allowed.I'm not really interested to buy it, but getting it / download it for free.The old link is not available anymore, also no success finding it after a quick search.Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.
The real problem you'll face is finding specific f/w versions... they might not be available, but over there 3rd party source code is.
I'm not really interested on other projects GPLs, but on the original/native Netgear GPL code, which was always shared on their product/GPL page.
IrvSp wrote:
Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.
I don't think you can get the GPL links for Netgear firmware there - at least I am only seeing dd-wrt and similar stuff.
There's a kb article which should contain the links the OP is asking for, but which is now blank. ElaineM is looking into it.
Let's wait for them to fix the problem/GPL page.
StephenB wrote:
IrvSp wrote:Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.
I don't think you can get the GPL links for Netgear firmware there - at least I am only seeing dd-wrt and similar stuff.
There's a kb article which should contain the links the OP is asking for, but which is now blank. ElaineM is looking into it.
Knew that, that is why I suggested that Hugo asks there. Obviously some of the developers might know where the GPL source code might be. I did find R7000's F/W source code with a Google search but it was V1.05, not of much value. That is at https://github.com/hajuuk/R7000, but just not I dug a little deeper on that page and there is a LINK to http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) and THAT IS WHERE all the version links are for many different devices. Just what he needs.
IrvSp wrote:
...there is a LINK to http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) and THAT IS WHERE all the version links are for many different devices. Just what he needsExactly so.
Earlier in the day that displayed as a blank page. I PM'd ElaineM when I discovered that, and it looks like she was able to get it straightened out.
Out of curiosity I have downloaded latest R7000 1.0.7.6 FW version and GPL (released on 15 DEC 16) to confirm the closed thread was really fixed / got OpenSSL updated and I got astonished on how https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnerabilities-within/td-p/1085599 case was closed / fixed, it seems nothing at all changed on the FW regarding OpenSSL old versions:
R7000 Firmware Version 1.0.7.6 - Released on 15 December 2016
OpenSSL 0.9.7f [22 Mar 2005] (source code) - 11 years and 10 months.Location:
/ap/gpl/openssl
/ap/gpl/transmission/openssl
OpenSSL 0.9.8e [23 Feb 2007] (source code) - 9 years and 11 months.Location:
/ap/gpl/timemachine/openssl-0.9.8e/
OpenSSL 1.0.0g [18 Jan 2012] (binary file libcrypto.so.1.0.0) - 5 years.Location:
/src/router/arm-uclibc/target/lib
For reference on OpenSSL vulnerabilities:https://www.openssl.org/news/vulnerabilities.html
All OpenSSL versions / branches used by Netgear FWs are EOL now / deprecated / no support anymore, which seems not to be a problem to Netgear DEV team, this issue was considered fixed by them not sure based on what changes.
So once again this was initially reported on May 16 and still not fixed, almost 1 year now, this seems a lost case to me like many others...
IrvSp Does it ring a/any bell now?
You had another THREAD on this and were told what parts of it were being used. See https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnerabilities-within/td-p/1085599 and use that one if you are unhappy with the results.
============
NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation.
============
If you think that is wrong, reply back in THAT thread.
You were also directed to this, http://kb.netgear.com/000036386/CVE-2016-582384, as well and it says it is corrected.
I assume you do not agree, CALL SUPPORT...
In case you haven't noticed that thread was closed, so I or anyone else is NOT able to reply to it, making your suggestion invalid. :-)
Their reply on this issue is non-sense anyway, beside 1.0.0 also is being used 0.9.7 and 0.9.8 which are all EOL / Deprecated / Not supported anymore versions, so it doesn't really matter if it's 1.0.0 or 0.9.7/8. they are all non-secure versions FYI.
hggomes wrote:In case you haven't noticed that thread was closed, so I or anyone else is NOT able to reply to it, making your suggestion invalid. :-)
Their reply on this issue is non-sense anyway, beside 1.0.0 also is being used 0.9.7 and 0.9.8 which are all EOL / Deprecated / Not supported anymore versions, so it doesn't really matter if it's 1.0.0 or 0.9.7/8. they are all non-secure versions FYI.
Didn't realize it was closed, so start a NEW one... don't hijack others.
Please put all you want to say before pressing the POST button. I read my email copy and I'm seeing many that appear close to the same from you. It is a waste of time reading them. Even then, as I reply to one you seem to be changing it too. PLEASE STOP posting like that.
EOL just means it will NOT be updated. One can STILL use it though. Did you know that XP and even Win95 is still in use? They I assume are using 3 different versions for different tasks, NONE of which exposes the firmware to an exploit it would seem according to NG. You have different proof, post it to them in a DIFFERENT thread please and STOP editing the ones you did post. I've seen 3 popups that you are replying to ones here as I enter this. Never see a new one though so it is an OLD one I've already read.
Unfortunatelly like I previously explained it's due to "Edit Reply" button use, so we should blame this forum software, it doesn't make too much sense to me a user not being able to edit the text.
I have really enjoyed your EOL explanation, maybe I'll give it a try on Windows 95, thank you. :-)
hggomes wrote:Unfortunatelly like I previously explained it's due to "Edit Reply" button use, so we should blame this forum software, it doesn't make too much sense to me a user not being able to edit the text.
I have really enjoyed your EOL explanation, maybe I'll give it a try on Windows 95, thank you. :-)
Most people DO NOT NEED to edit their posts. They USE PREVIEW and read what would be posted and if they want to make a change switch back to RICH TEXT or HTML, make the changes and when DONE, then press POST. Try it some time, you might like it.
Yes, EOL doesn't mean it will not work... functions used do...
I'm done with you... now I know why that thread was probably closed...
