NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

kochin's avatar
kochin
Apprentice
Dec 09, 2016
Solved

R7000 & R6400 Vulnerability Note VU#582384

[When I created this post, I wasn't aware of the 2 discussions already on this topic: Two leading Netgear routers are vulnerable to a severe security flaw R7000 Vulnerability Note VU#582384]   ...
Firmware
Security
security vulnerability
VU 582384
kochin's avatar
kochin
Apprentice
Dec 14, 2016

ElaineM

Thank you for the update. It shows that Netgear has the courage to admit their own mistake. I'll take that as a promising indication that Netgear will learn from this incident.

 

Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part.

  • ElaineM's avatar
    ElaineM
    NETGEAR Employee Retired
    Dec 14, 2016

    kochin Thank you very much for the confirmation that the beta fixed it.

     

    We appreciate your continued patience as we work on this.

  • Wyle008's avatar
    Wyle008
    Aspirant
    Dec 14, 2016

    Hi

     

    Just update firmware of my R7000 Router to beta 1.0.7.6 and would like to know if others also experience the following behaviour (used MS Edge for testing):

     

    1. Go to router start page (in my case 192.168.1.1) and click cancel, meaning do not enter username and password

     

    2. Enter the poc url http://192.168.1.1/cgi-bin/;telnetd$IFS-p$IFS'45' into the address bar and click cancel when it asks for username and password. 404 not found message appears

     

    3. Entering again router start page 192.168.1.1 doesn't ask for username and password know and I am automatically logged in to the management console?!

     

    Is this working as desgined or still a bug in the beta firmware?

     

  • ElaineM's avatar
    ElaineM
    NETGEAR Employee Retired
    Dec 14, 2016

    Perhaps a cached page? Did you delete browsing history and cached?

    Though I don't have Edge, I'm not getting this on IE, Firefox and Chrome. 

  • kochin's avatar
    kochin
    Apprentice
    Dec 15, 2016

    Wyle008

    I do recall a similar experience with Chrome browser right after I updated to the beta firmware. As ElaineM said, it probably was a cached page. That was my immediate guess when I saw my router showed me the administration page without loggin in, and I re-started my brower and then was asked to log into the router.