NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Web GUI Password Recovery and Exposure Security Vulnerability
I would like to point out to Netgear that their password recovery options are woefully insecure. I followed their advice to turn on Password Recovery but immediately aborted, Every single question ca...
Hi All,
Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.
TheEther wrote:Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!
Even when they do happen, recalls in this sector are phased. They don't call up all cars immediately.
The urgency depends on the severity of the issue. Something that has minimal safety implications can wait.
Likewise with IT stuff. If a bug means that planes could fall out of the sky, there is a rush to fix it. If it just means a few sleepless nights for the terminally paranoid, what's the hurry?
michaelkenward:
My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."
I was not using the auto recall analogy as a standard for the length of time from discovery of a defect to customer notification. I was using it as a comparable case of manufacurer cost responsibility for a defect. I am highly security aware and have a triple layered security set up and use two on demand second opinion security scanners. I keep current on security and internet privacy news on an hourly basis, I am not aware of Netgear having issued a press release on this vulnerablity as other security and hardware companies do. The way Netgear handled this Vulnerabilty is Shameful: Unaware Tech Support giving out potentially disasterous misinformation; email Notification to me two months after it was posted in The Security Advisory Section; a fix that myself and others, as reported on this forum, can not make and a totally non-responsive answer to a filed emailed support ticket.
I did submit a case ticket by email that is limited to 150 characters. I stated my problem to be that I had no "enable PW Recovery" box on my Change PW Page to enable PW Recovery,the suggested security fix"
I received response similar to the following. It was totally unresponsive to me question.. "To change your password go to the change PW page, enter your new PW,confirm the new PW, click OK,close GUI." NADA about how to find the "enable PW Recovery box."
Netgear's approach in its handling of this matter is an inexusable disgrace.
hawkeye
hawki wrote:michaelkenward:
My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."
Some IT businesses offer "support" that is so bad that user-to-user forums are a better option.
Perhaps you could have tried asking your question here before giving money to Netgear.
Thak You michaelkenward for your constructive suggestion :-)
Looks like I will have to do that when I have the time.
My basic problem is that when I go to the Advanced Menu page for changing passwords there is no checkmark block to check to "Enable PW Recovery"
The IP address shown in dos after following the preliminary instructions is not "my ISP IP", it is my router's IP I assume.
But when I enter either IP address in the address bar it brings me to the same GUI with no box to check "To Enable PW Recovery"
I can see the unchecked remote box on another page.
hawkeye
hawki, what is the model of your router?
