NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
aboxofclay, I am sort of confused over this string of messages you've seemed to have started within this thread on 1/6?
Was this a returned e-mail to you from Netgear after you reported a problem to them? I can find nothing in the thread like this?
As for SPAM reaching them, it is really a double edged sword. Depending on SPAM filters some will get through, and conversely some that are not SPAM will be discarded.
Yes, there are ways to defeat this, forms to be filled out (although robots can get around this too) but that means a browser must be used to submit reports. Otherwise 'normal' emails are free form and unless there were specific information within the product documentation in the box that detailed what was required one wouldn't know it (or even forget to look at the documentation before sending off an email). On top of that NG support is only for 90 days. I bet that 'channel' gets a lot of email for h/w OUT OF WARRANTY as well.
So how did you get that 'message' and what did you do about it?
Like I previously stated here:
Netgear FW code should definitily be audit, vulnerabilities news on Netgear almost everyday now:
https://www.engadget.com/2017/01/31/more-netgear-wifi-router-vulnerabilities/
http://www.theregister.co.uk/2017/01/31/major_security_hole_in_netgear_routers/
Definitily something to have in mind before getting a Netgear product.
ElaineM: Now you can understand my previously concerns about Netgear vulnerabilities?
Obviously this was something that could be avoided if Netgear could listen more to the people reporting these kind of issues, instead keeping things just like they are, I'm really sorry things have reach this point.
You did read part of the Engadget link fully right?
=======
The good news? Netgear has been diligent about patching the security hole. As of the report, 19 models (plus a cable modem) already have firmware updates that will fix the flaws.
=======
The link above in the part I copied was to "Web GUI Password Recovery and Exposure Security Vulnerability" which was updated on 1/27/17 before your links were created.
To me it seems they did 'listen' and did take pro-active action?
Well, that's your opinion about it, I can respect that.
They have listen it too late now that Netgear is on all front pages for the worst motives, this point could be avoided with back then actions, check how much time it took for them to simply upgrade a OpenSSL version:
Now they are simply forced to quick fix things in order to not stain Netgear's name even more.
Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?
When something gets reported to them the first thing that needs to be done is verify it is a real threat. Determine the scope of it too. Then formulate a fix, for every instance of that, and then create and test the fix, run QA (ensure it didn't cause regressions, that is break something else), and finally release it.
Note the date the page I referenced was updated last, 1/27 (don't know prior update date nor content change though), and the dates of the URL references you posted. Those were release a few days AFTER NG made the page update.
Also note the list of routers on that NG page. I can only speak for the R7000, but its last F/W release (which according to the LINK says it was fixed on the R7000) was on 12/16/2016. So over 1 1/2 months ago the R7000 had that vulnerability fixed.
To me that makes your argument sort of weak.
But let us switch gears here. What about MicroSoft? Many more vulnerabilities affecting many more systems. Do they cover them all INSTANTLY? Nope, they take time to get them out. They also do NOT announce the full extent of most of the vulnerabilities either so they are not publically known so 'bad guys' can make use of them.
Even with NG making the fixes, just what percentage of all NG Routers do you think will first of all update the firmware or make suggested protection changes? I'd think a good percentage will not.
You can audit/read the code ALL you want. Unless you know what the 'hole' could be and how it could be exploited you may never see it. Yes, some people might, but many coders will not. That is why exploits exist. It is a 'fact' of software coding.
Even MS doesn't respond instantly to all threats.
Some MS URL's about threats:
https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
Note on the above, they say UPGRADE to W10... what about older versions of the OS?
https://www.microsoft.com/security/portal/enterprise/threatreports_december_2015.aspx
Note on the above, dated 11/2/16, but the fix will not be out until 11/8/16 and roll-out is not immediate to everyone.
By the way, most of those reference 'zero-day attacks'. Do you know what they are? Those are NEW attacks not seen before and using previously unknown holes/weaknesses in the code. No code is immune to these.
Doesn't Microsoft code bother you more than the router firmware code? It doesn't seem like it to me.
Why are you targeting NG? Others have problems too or had them:
http://routersecurity.org/bugs.php
Next is an OLD one but it shows NG isn't alone with problems:
I'm just trying to figure out why you think NG didn't respond and are the lone router mfgr. with these types of problems?