NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

alokeprasad's avatar
alokeprasad
Mentor
Sep 06, 2019
Solved

Security Hotfix for X10 R9000?

What security fixes are in https://kb.netgear.com/000061091/R9000-Firmware-Version-1-0-4-36-Hot-Fix Any zero day exploits?   The router firmware shows no new available updates, probably because th...
  • alokeprasad's avatar
    alokeprasad
    Sep 19, 2019

    Did some more searching:

    https://www.netgear.com/search-netgear.aspx?cn=security_collection&rf=document_type:Security%20Advisory&q=r9000

     

    This could be https://kb.netgear.com/000061024/Security-Advisory-for-KCodes-NetUSB-Unauthenticated-Remote-Kernel-Vulnerabilities-on-Some-Routers-Gateways-Extenders-and-Smart-Cradles-PSV-2019-0029

     

    If you Google the CVE codes below, you get

    Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5016)

    An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.

     

    Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5017)

    An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.

     

    So, the information is out there, including on Netgear's own security page (thank goodness for that!).

    So, how about including this on the firmware download page?!?

     

    ==

    Associated CVE IDs: CVE-2019-5016; CVE-2019-5017

    NETGEAR has released firmware fixes or hotfixes for KCodes NetUSB unauthenticated remote kernel information disclosure and arbitrary memory read security vulnerabilities on the following product models:

    • D6000 running firmware versions prior to v1.0.0.78
    • D6400 running firmware versions prior to v1.0.0.88
    • D7800 running firmware versions prior to v1.0.1.56
    • DC112A running firmware versions prior to v1.0.0.44        
    • EX6200 running firmware versions prior to v1.0.3.90         
    • EX6200v2 running firmware versions prior to v1.0.1.78     
    • EX8000 running firmware versions prior to v1.0.1.202       
    • R6250 running firmware versions prior to v1.0.4.38_BETA
    • R6400 running firmware versions prior to v1.0.1.50
    • R7300DST running firmware versions prior to v1.0.0.74_BETA
    • R7500v2 running firmware versions prior to v1.0.3.41_BETA
    • R7800 running firmware versions prior to v1.0.2.63_BETA
    • R7900 running firmware versions prior to 1.0.3.14_10.0.40_BETA
    • R8000 running firmware versions prior to 1.0.4.38_10.1.59_BETA
    • R8900 running firmware versions prior to v1.0.4.36_BETA
    • R9000 running firmware versions prior to v1.0.4.36_BETA
    • WNDR4300v2 running firmware versions prior to v1.0.0.60_BETA          
    • WNDR4500v3 running firmware versions prior to v1.0.0.60_BETA          
    • XR500 running firmware versions prior to v2.3.2.56
    • XR700 running firmware versions prior to v1.0.1.18_BETA           

    ==

     

alokeprasad's avatar
alokeprasad
Mentor
Sep 19, 2019

Or, like I suggested in the OP:

Netgear could/should disclose vulnerabilities, especially zero-day ones, like the more reputed companies do.  It has _some_ on their security page https://www.netgear.com/about/security/ and https://www.us-cert.gov/ncas/bulletins

And tell us which one of those is being addressed in the "hotfix" (which implies a certain sense of urgency (speed over rigor in testing) of release)

alokeprasad's avatar
alokeprasad
Mentor
Sep 19, 2019

Did some more searching:

https://www.netgear.com/search-netgear.aspx?cn=security_collection&rf=document_type:Security%20Advisory&q=r9000

 

This could be https://kb.netgear.com/000061024/Security-Advisory-for-KCodes-NetUSB-Unauthenticated-Remote-Kernel-Vulnerabilities-on-Some-Routers-Gateways-Extenders-and-Smart-Cradles-PSV-2019-0029

 

If you Google the CVE codes below, you get

Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5016)

An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.

 

Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5017)

An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.

 

So, the information is out there, including on Netgear's own security page (thank goodness for that!).

So, how about including this on the firmware download page?!?

 

==

Associated CVE IDs: CVE-2019-5016; CVE-2019-5017

NETGEAR has released firmware fixes or hotfixes for KCodes NetUSB unauthenticated remote kernel information disclosure and arbitrary memory read security vulnerabilities on the following product models:

  • D6000 running firmware versions prior to v1.0.0.78
  • D6400 running firmware versions prior to v1.0.0.88
  • D7800 running firmware versions prior to v1.0.1.56
  • DC112A running firmware versions prior to v1.0.0.44        
  • EX6200 running firmware versions prior to v1.0.3.90         
  • EX6200v2 running firmware versions prior to v1.0.1.78     
  • EX8000 running firmware versions prior to v1.0.1.202       
  • R6250 running firmware versions prior to v1.0.4.38_BETA
  • R6400 running firmware versions prior to v1.0.1.50
  • R7300DST running firmware versions prior to v1.0.0.74_BETA
  • R7500v2 running firmware versions prior to v1.0.3.41_BETA
  • R7800 running firmware versions prior to v1.0.2.63_BETA
  • R7900 running firmware versions prior to 1.0.3.14_10.0.40_BETA
  • R8000 running firmware versions prior to 1.0.4.38_10.1.59_BETA
  • R8900 running firmware versions prior to v1.0.4.36_BETA
  • R9000 running firmware versions prior to v1.0.4.36_BETA
  • WNDR4300v2 running firmware versions prior to v1.0.0.60_BETA          
  • WNDR4500v3 running firmware versions prior to v1.0.0.60_BETA          
  • XR500 running firmware versions prior to v2.3.2.56
  • XR700 running firmware versions prior to v1.0.1.18_BETA           

==