NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

3v3ntH0riz0n's avatar
3v3ntH0riz0n
Apprentice
Dec 09, 2016
Solved

NETGEAR Routers and CVE-2016-582384 security vulnerability

I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
backdoor
Firmware
injection
R7000
Security
vunerable
  • mdgm-ntgr's avatar
    mdgm-ntgr
    Dec 11, 2016


    NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

     

    We now have beta firmware containing fixes for some affected models.

    We're working hard on fixes for the other affected models and will update the security ticket above soon.

     

    **** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****

     

    To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements. 

     

    Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

     

    NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page.  We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.  When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.

     

    Security Advisory for VU 582384 knowledgebase article.

    NETGEAR Product Security Advisory page.

     

     

IrvSp's avatar
IrvSp
Master
Feb 01, 2017

Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?

 

When something gets reported to them the first thing that needs to be done is verify it is a real threat. Determine the scope of it too. Then formulate a fix, for every instance of that, and then create and test the fix, run QA (ensure it didn't cause regressions, that is break something else), and finally release it.

 

Note the date the page I referenced was updated last, 1/27 (don't know prior update date nor content change though), and the dates of the URL references you posted. Those were release a few days AFTER NG made the page update.

 

Also note the list of routers on that NG page. I can only speak for the R7000, but its last F/W release (which according to the LINK says it was fixed on the R7000) was on 12/16/2016. So over 1 1/2 months ago the R7000 had that vulnerability fixed.

 

To me that makes your argument sort of weak.

 

But let us switch gears here. What about MicroSoft? Many more vulnerabilities affecting many more systems. Do they cover them all INSTANTLY? Nope, they take time to get them out. They also do NOT announce the full extent of most of the vulnerabilities either so they are not publically known so 'bad guys' can make use of them.

 

Even with NG making the fixes, just what percentage of all NG Routers do you think will first of all update the firmware or make suggested protection changes? I'd think a good percentage will not.

 

You can audit/read the code ALL you want. Unless you know what the 'hole' could be and how it could be exploited you may never see it. Yes, some people might, but many coders will not. That is why exploits exist. It is a 'fact' of software coding.

 

Even MS doesn't respond instantly to all threats.

 

Some MS URL's about threats:

 

https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/

Note on the above, they say UPGRADE to W10... what about older versions of the OS?

https://www.microsoft.com/security/portal/enterprise/threatreports_december_2015.aspx

https://blogs.microsoft.com/microsoftsecure/2016/09/26/modern-browsers-are-closing-the-door-on-java-exploits-but-some-threats-remain/

http://www.trustedreviews.com/news/read-microsoft-s-snarky-response-to-google-uncovering-a-windows-flaw

Note on the above, dated 11/2/16, but the fix will not be out until 11/8/16 and roll-out is not immediate to everyone.

https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

 

By the way, most of those reference 'zero-day attacks'. Do you know what they are? Those are NEW attacks not seen before and using previously unknown holes/weaknesses in the code. No code is immune to these.

 

Doesn't Microsoft code bother you more than the router firmware code? It doesn't seem like it to me.

 

Why are you targeting NG? Others have problems too or had them:

 

http://routersecurity.org/bugs.php

Next is an OLD one but it shows NG isn't alone with problems:

http://www.pcworld.com/article/2464300/fifteen-new-vulnerabilities-reported-during-router-hacking-contest.html

 

I'm just trying to figure out why you think NG didn't respond and are the lone router mfgr. with these types of problems?

hggomes's avatar
hggomes
Tutor
Feb 01, 2017

Seriously? Obviously you are not getting the message...

 

Any manufacturer is subject to have have vulnerabilities on they're products, no exceptions, but when you see a company like Netgear using critical software components with almost 12 years old (OpenSSL 0.9.7f 22 March 2005) with legions of well known security flaws (CVE's) at public realm on all their products including the latest ones anyone already can see what kind of security concerns exist from their part, and still taking several months to address them...

 

It shouldn't be the end-user / client reporting this issues, don't they have eyes to see it after 12 years? Or maybe they development team doesn't know about it? Don't they see the https://cve.mitre.org/ or other online news? That's quite hillarious.

 

I'm not targetting expecifically Netgear, there's also other similar situations happening on manufacturers like D-Link, TP-Link, etc.

I'm simply reporting a real fact which should be shared and known to the general public before deciding to purchase their products, these kind of critical reporting is important and only makes company's better not worse, unfortunatelly not everyone can understand it that way.

 

I suggest you to keep supporting Netgear that way since you are quite happy with their products / support, they really apreciate it.