R7000 Vulnerability Note VU#582384

Thank you

I'm running it on my R7000 which I'm currently using just as an AP and it's working fine for me.

Others have also installed it. See e.g. https://community.netgear.com/t5/Nighthawk-WiFi-Routers/The-last-straw-new-vulnerability-for-R7000-R6400-R8000/m-p/1187234#M44417

This is an insane vunerability that is super easy to exploit. It doesn't even require the user to be logged in. I demand to know when this is going to be fixed.

this workaround posted by Bas996 above seems to work for me. Thank you!! Now I feel a bit more comfortable while waiting for Netgear.

I wasn't successful in the telnetd variant of this exploit, but was successful in shutting down the web interface using bas996's link.  Thanks for link.  I'm guessing the telnetd may not be successful, but apparently 'kill' is, so perhaps other commands are as well.  I rarely reboot the router, so this will have to work for now.

robwilkens--

Thank you for pointing out these issues:

---

robwilkens wrote:
It would not show up on web interface. The sample just runs the telnet daemon which runs in background as a process. Try running a telnet to the router on the port.

---

I went back and attempted to connect to the router with a putty telnet session.  The connection was refused from both LAN and Internet IP addresses and from both the default ports and port 45.  I think at this point I am reasonably convinced that the firmware does not respond to THIS aspect of the exploit, but may be vulnerable to others.  I cannot disconnect my router, so I will just practice caution.

C.L

There are a lot of people that are of the same opinion. I strongly urge you and others to tweet @netgear to voice your displeasure. The Netgear twitter page is getting bombarded with complaints. Curiously, not a single word out of Netgear.

In complete fairness to Netgear, yesterday was the day that CERT released this vulnerability note.  Let's say they did come up with a fix, it would probably a period of testing internally before safely releasing this to the general public, there's nothing worse a company can do to their reputation with users than fix something that breaks something else that was working.

20 years ago I used to be a CERT coordinator for a computer company (we had our own UNIX-based OS) and there's a process from getting the vulnerability, to determining which if any devices are vulnerable, to submitting it to an internal database of issues, to it being prioritized by management and assigned, to the investigation of cause, to the development of a fix, to making sure that fix doesn't negatively affect users, and of course to packaging and distributing the fix.

BvdRee I like the Twitter idea, but we need a hashtag as well. How about #NetgearBrokenSecurity?

The "Twitter Campaign" is a good idea. I would encourage readers of this thread that are affected by this problem to post Tweets to @netgear .  

I don't think blocking the routers ip address from the router would help -- The problem is accessing the router from your in-home network,most like at 192.168.1.1 address. They get you to open a web page that has a frame that goes to that address and opens a port (or whatever else it may want to do) and once that port is open it is open to external network.  

What _might_ work, is somehow blocking 192.168.1.1 (or whatever your router address is) from all of your potential web browsing applications, so they can't issue commands to the router without you consciously turning that off.

I do not do this myself, and suspect you'd have to be good at working your firewall software on your laptop to block this -- and i suspect it would be an annoyance if you did need the web interface of router (I like to use it to check IP addresses on attached devices).

-Rob