NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R7000 open vulnerability with unencrypted logon
R7000 seems to accept unencrypted (plain text) logins? This is also a vulnerability notification from anyone running Bitdefender Box scanning router. When logging into router there is no encryption b...
Well, maybe something NG will look at. Would be up them to make changes. I presume some of this would be customer or how many instances of bad experiences with this issue. Haven't seen a ton of issues where people are abusing this issue. May not be something to worry too much about, since this has been the norm regarding the UI for a long time. Up to the Mfrs though.
Pretty sure logs in on the LAN side are only plain text log ins since it's a LAN side access. If remote management is enabled then of course HTTPS would be used using the public IP address and a pre-assinged port address. Web UI access log ins to the routers web page on the LAN side isn't needed. Unless you think someone on the LAN side is trying to gain access.
Most router Mfrs don't use HTTPS on the web UI log in. Maybe some newer models. I have 3 new NG routers. All use HTTP to access UI for the log in.
True. But NG should fix this in a firmware update so that logon information is not easily seen even on LAN side. This is a security vulnerability, that and having to pay for product support from NG!
Most log ins are hidden. At least the PW is when you type it in. Dots are seen, not actual characters. Usually users who are managing the router is or should be alone if there typing in PWs.
I do see some Mfrs that have the option to hid or no hid the PW as well. It's up to the Mfr I presume to let the user choose this option.
FURRYe38, it does not matter if the UI does kind of hide the password field, or if there is some kind of obfuscation code in place.
I know. I know some don't understand the HTTP vs HTTPS and password field opertion and what it all means being on the LAN side of the router and what real vulnerabilities are.
schumakuwrote:FURRYe38, it does not matter if the UI does kind of hide the password field, or if there is some kind of obfuscation code in place.
SirThomaswrote:
But NG should fix this in a firmware update so that logon information is not easily seen even on LAN side.We buy a product based on the product specifications on the box and the related documents like a data sheet. There is no word of a secured management interface.
SirThomas wrote:
This is a security vulnerability, that and having to pay for product support from NG!No, it's not a vulnerability. Well, the term "trusted network" is a commonly accepted mitigation. Making a https access and disable the http would make your "expensive" security system to shut up.
Of course, you are a happy camper at this point, too.
I'm not. Because I know that the most critical information in this "secure" connection is not secure enough: My router private key is well known. And so is the Entrust signed certificate. All similar routers out there make use of the same private key, the same certificate serial number, and the very same fingerprint.
This "green" https connection is not any better than the plain text http connection on my trusted network. But it's OK because it's my private network again. Figure.
And no - I'm not aware we pay NTGR for software maintenance, enhancements, new services, new features.
- @shumaku
For around $200 shouldn't have to pay more for maintenance. But I do see how companies like NG would soon start the pay to play .Hi All,
We are aware of this request for our routers and we are in the process of rolling this feature through firmware update for various product models. We will inform you as soon as the feature is released.
JamesGL
Community Team
