NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND An exploit leveraging this vulnerability has been publicly disclosed. Impact By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. Solution The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround. Discontinue use Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available. --------------------------- Can someone from NetGear address this issue? I am running one level behind on my firmware, because I liked the fact that my router could double as my ARLO base station. However, reading this warning from CERT is causing me to be concerned. This router was not cheap, and I have had it for less than a year. If I have to get rid of it, becaue the issue cannot be resolved, then I would like some kind of compensation or trade in value. Regards.
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
233 Replies
Hey Gomes! How many times are you using the edit button? I just opened my email program and there were 31 notices of replies to this thread.
Unfiltered1 wrote:Hey Gomes! How many times are you using the edit button? I just opened my email program and there were 31 notices of replies to this thread.
Indeed, this guy does not know how to use as forum. He is practically the only one why creates multiple posts of one message.
But rather than being unkind, let me add a suggestion.
This forum is very good at remembering what you are writing.
If you make a mistake and close a window, or do something equally silly, or even Windows crashes, you can pick up where things went wrong.
Go back to the message you were answering and the forum software will ask if you want to reload your message. It misses very little if anything.
PS Apologies for going off topic, but it might help to preserve the collective sanity.
I must agree with you, I definitely don't know how to use THIS forum, I'm not used to a forum where at every single edit you will end up flooding the users mailboxes, I never seen it happening on ANY other forum used before, Xenforo, Vbuletim, PHPBB, MyBB, etc.
Here's the issue, I usually remember later to add extra content to the initial post or simply notice that I need to fix something on the text (English is not my native language), I also noticed that this forum software does only allows the user to edit the post in 5-10m after posting, then the option will be removed, when that happens you will not be able to fix anything anymore or add any extra content to your previous post, which is something new to me, so the way it is it's the way it will end up, never seen anything like that.
Thank you for your post information.
IrvSp:
You have described exactly what I did, it seems it didn't worked at all.
Same here, but you only need to read it to know why.Unfiltered1:
Definitely not 31 times. :-)
What's up with the email notification system? I'm getting bunches of email notices that a reply has been posted and they appear to just be duplicates. Last batch contained 17 notices and before that there was another long string. Anyone else getting a flood of emails?
Unfiltered1 wrote:What's up with the email notification system? I'm getting bunches of email notices that a reply has been posted and they appear to just be duplicates. Last batch contained 17 notices and before that there was another long string. Anyone else getting a flood of emails?
That usually happens when the writer either presses enter a few time or makes 'minor' editing changes, corrections or adding something after it was posted.
I'm only getting it for 'hggomes' posts though? Only got one for you for instance? Have not seen this in any other instances other than when ones are edited?
The last 2 I got from him via NG was 25 minutes apart and it was edited basically to add a link.
Probably the result of "Edit Reply" post, if so my fault for editing it and Netgear forum software for working that way.
netgear wrote:We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.
Presumably this is meant to indicate that you receive a lot of spam on these mailboxes. I suggest providing guidelines for how you want humans to format their subject lines when contacting you about vulnerabilities. This may make it easier to differentiate between bots sending you ads for viagra and vulnerability reports.
aboxofclay wrote:
Presumably this is meant to indicate that you receive a lot of spam on these mailboxes.That's one way of interpreting it, but spam is easily trapped. My guess is that "numerous emails through this channel" is more likely to be loaded down with reports of false positives in AV software, or people who are just paranoid and think that every time their system falls over it is a security failure.
As for providing a format for submitting issues, that's a good way of encouraging the spammers.
It would be better to be more diligent in the first place and for Netgear to pay a bit more attention to what it does receive. I suspect that it does so now that it has seen the folly of ignoring messages.
Spammers (as opposed to spear phishers) aren't going to bother customizing their messages for a mailbox their bot has scraped off the web. However, a consistently formatted subject line will make it easier for a human to recognize a potential problem report. Agreed on the need for increased diligence though.
michaelkenward wrote:
aboxofclay wrote:
Presumably this is meant to indicate that you receive a lot of spam on these mailboxes.That's one way of interpreting it, but spam is easily trapped. My guess is that "numerous emails through this channel" is more likely to be loaded down with reports of false positives in AV software, or people who are just paranoid and think that every time their system falls over it is a security failure.
As for providing a format for submitting issues, that's a good way of encouraging the spammers.
It would be better to be more diligent in the first place and for Netgear to pay a bit more attention to what it does receive. I suspect that it does so now that it has seen the folly of ignoring messages.
I'm running the R6900, which has a beta firmware listed (R6900-V1.0.1.14_1.0.14.chk); however, then I run the manual procedure from a Mac directly connected to the router via CAT5, the thermometer finishes but the spinning hourglass never does. The reported firmware version never updates. Anyone having this issue with the manual update not working?
A big THANK YOU to michaelkenward (Master) who responded to my question and addressed each question clearly. If he worked for Netgear I probably wouldn't have had to post my complaint! Appreciate the help, man.
JMNB
Some further confusion. I received an e-mail from Netgear yesterday indicating that a fix was available for my router. I had already installed the beta firmware as soon as that came out. So... I assumed that this e-mail was the permanent fix. Imagine my surprise when I started to install the new firmware and I was told it was already installed. So my question is has the beta firmware now become the permanent fix or should I install the new firmware over the beta firmware even though they have the same release numbers?
I ran into the same situation RSM52. I didn't receive an email but I had previously installed the beta release of the firmware and today I rummaged around the Netgear site till I found reference to an apparent new, non beta firmware version. I downloaded it and during the update process was also notified that I already had the same version installed. I went ahead and ran the newly downloaded version and everything is working so I guess it didn't break anything. It shows the same version number as previous so I don't know if this is still the beta version or not. Seems like Netgear would have changed one of the numbers if it was a new release out of beta.
One would think they would. Thanks for checking in on this. It would be nice to hear from their moderators if indeed they are the same or not.
Hi,
just tested on my R6250, and got prompted for the admin password. I guess this means that the R6250 is safe(?)
If I was already logged in in another tab, it would not prompt. Maybe that is why the R6250 is included in the advisory?
- Inolvidable_ I agree with your sentiment. There can be variables that, frankly, could all depend on perspective.
Either way, we can have a lovely discussion on what can be true or not so, but let's not stray too off-topic while we're at it 😄Netgear has fessed up to Tom's Hardware:
"This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday, December 9th, when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process. "
http://www.tomshardware.com/news/netgear-responds-security-issue-routers,33199.html
I alwasy love updates that require resetting ALL settings before doing the update. anyone have any tips for how to capture all the settings that are changed to make it easier to re-populate?
I have so many IP assignments, port forwarding, QOS, etc.. PIA for sure
- While I am thankful for the beta, any clue as to when a final version will be out? I'm never comfortable running beta firmware on a router for too long of a time.
Putting an ETA on things like that is always difficult as it's difficult to predict how long QA testing will take. If both no regressions (issues not present in the previous firmware release) are found and included fixes are verified readily then it will be quicker than if we decide that there is more changes needed.
Naturally we are as keen as you for this process to complete as quickly as possible and we will update the advisory when the final version is available.
Thanks for your patience.
- alokeprasad I think if you keep your browsing contained you should be fine. Be wary of ads, however, and keep an eye on devices that comment to a lot of things over the internet.
Web pages aren't just simple HTML pages anymore.
