NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Web GUI Password Recovery and Exposure Security Vulnerability
I would like to point out to Netgear that their password recovery options are woefully insecure. I followed their advice to turn on Password Recovery but immediately aborted, Every single question ca...
Hi All,
Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.
Netgear's customer support policy leaves a lot to be desired, but on the issue of taking two months to inform customers about this vulnerability, it is not necessarily unreasonable.
What!?! How can that be? When it comes to a security vulnerability, it's counter productive to make a public announcement until one is sure that the vulnerability is real and, ideally, one has a fix available. The last thing you want to do is tell every hacker in the world that you have an unpatched flaw with no fix in sight.
Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!
In the security industry, it's common for white hat hackers to quietly work with companies to fix vulnerabilities. This process takes time. White hats will often prescribe a certain amount of time before they publicize a bug. This is done to incentivize a company to not drag its feet. It's possible that Netgear took too long, or perhaps the news simply leaked out and that were forced to make a public statement.
Do you have a right to be frustrated? Sure. But hopefully you can see the other side of the coin.
This particular bug is similar to other bugs in that it requires a hacker to already have inside access to your network in order to attack your router. If a hacker has access to your network, you have already lost the war. Who cares about the battle over your router? Actually, you should care, but I hope you get my point.
For this reason, I've been advocating in other threads to not enable password recovery. I do not represent Netgear and this advice is my own. Use it at your own risk.
TheEther wrote:Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!
Even when they do happen, recalls in this sector are phased. They don't call up all cars immediately.
The urgency depends on the severity of the issue. Something that has minimal safety implications can wait.
Likewise with IT stuff. If a bug means that planes could fall out of the sky, there is a rush to fix it. If it just means a few sleepless nights for the terminally paranoid, what's the hurry?
michaelkenward:
My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."
I was not using the auto recall analogy as a standard for the length of time from discovery of a defect to customer notification. I was using it as a comparable case of manufacurer cost responsibility for a defect. I am highly security aware and have a triple layered security set up and use two on demand second opinion security scanners. I keep current on security and internet privacy news on an hourly basis, I am not aware of Netgear having issued a press release on this vulnerablity as other security and hardware companies do. The way Netgear handled this Vulnerabilty is Shameful: Unaware Tech Support giving out potentially disasterous misinformation; email Notification to me two months after it was posted in The Security Advisory Section; a fix that myself and others, as reported on this forum, can not make and a totally non-responsive answer to a filed emailed support ticket.
I did submit a case ticket by email that is limited to 150 characters. I stated my problem to be that I had no "enable PW Recovery" box on my Change PW Page to enable PW Recovery,the suggested security fix"
I received response similar to the following. It was totally unresponsive to me question.. "To change your password go to the change PW page, enter your new PW,confirm the new PW, click OK,close GUI." NADA about how to find the "enable PW Recovery box."
Netgear's approach in its handling of this matter is an inexusable disgrace.
hawkeye
hawki wrote:michaelkenward:
My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."
Some IT businesses offer "support" that is so bad that user-to-user forums are a better option.
Perhaps you could have tried asking your question here before giving money to Netgear.
Thak You michaelkenward for your constructive suggestion :-)
Looks like I will have to do that when I have the time.
My basic problem is that when I go to the Advanced Menu page for changing passwords there is no checkmark block to check to "Enable PW Recovery"
The IP address shown in dos after following the preliminary instructions is not "my ISP IP", it is my router's IP I assume.
But when I enter either IP address in the address bar it brings me to the same GUI with no box to check "To Enable PW Recovery"
I can see the unchecked remote box on another page.
hawkeye
