NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

SirThomas's avatar
SirThomas
Tutor
Feb 18, 2018
Solved

R7000 open vulnerability with unencrypted logon

R7000 seems to accept unencrypted (plain text) logins? This is also a vulnerability notification from anyone running Bitdefender Box scanning router. When logging into router there is no encryption b...
Firmware
  • FURRYe38's avatar
    FURRYe38
    Feb 20, 2018

    Well, maybe something NG will look at. Would be up them to make changes. I presume some of this would be customer or how many instances of bad experiences with this issue. Haven't seen a ton of issues where people are abusing this issue. May not be something to worry too much about, since this has been the norm regarding the UI for a long time. Up to the Mfrs though. 

SirThomas's avatar
SirThomas
Tutor
Feb 19, 2018
True. But NG should fix this in a firmware update so that logon information is not easily seen even on LAN side. This is a security vulnerability, that and having to pay for product support from NG!
FURRYe38's avatar
FURRYe38
Guru - Experienced User
Feb 19, 2018

Most log ins are hidden. At least the PW is when you type it in. Dots are seen, not actual characters. Usually users who are managing the router is or should be alone if there typing in PWs. 

 

I do see some Mfrs that have the option to hid or no hid the PW as well. It's up to the Mfr I presume to let the user choose this option. 

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Feb 19, 2018

    FURRYe38, it does not matter if the UI does kind of hide the password field, or if there is some kind of obfuscation code in place. 

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User
      Feb 19, 2018

      I know. I know some don't understand the HTTP vs HTTPS and password field opertion and what it all means being on the LAN side of the router and what real vulnerabilities are. 

      schumakuwrote:

      FURRYe38, it does not matter if the UI does kind of hide the password field, or if there is some kind of obfuscation code in place. 

       

      • SirThomas's avatar
        SirThomas
        Tutor
        Feb 19, 2018
        Internal authentication is just as important as external. Most infiltrating takes place from the inside. I wonder is this the same flaw as in recent news? The use of &genie=1 flaw? Netgear uses too many things to log in or administer with. Example is ip, telnet etc, up app, genie app, and router login.net that doesn't work. Even open source offers encrypted login options.