NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

DoctorX's avatar
DoctorX
Guide
Dec 18, 2016
Solved

Web GUI Password Recovery Vulnerability?

Back in June a security vulnerability was disclosed:   Web GUI Password Recovery and Exposure Security Vulnerability https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Web-GUI-Password-Recove...
Firmware
Security
  • JamesGL's avatar
    JamesGL
    Jan 06, 2017

    Hi, DoctorX,

     

    The post has been unfreeze.

  • DoctorX's avatar
    DoctorX
    Guide
    Dec 19, 2016

    Is that the same vulnerability?

     

    The reason I ask is that the 1.0.5.70 firmware is dated 06/02/2016 and was released on 06/15/2016.

    The (frozen) post by ChristineT (admin) describing the unresolved issue was posted on 06/22/2016.

     

    If its the same issue can the original post be unfrozen and updated?

    • JamesGL's avatar
      JamesGL
      NETGEAR Employee Retired
      Dec 22, 2016

      Hi DoctorX,

       

      The recent report about vulnerability is different from the Web GUI password Recovery Vulnerability. Both issues has been addressed already.

       

      • DoctorX's avatar
        DoctorX
        Guide
        Dec 23, 2016

        I'm not referring to VU 582384 resolved in firmware v1.0.7.6_1.1.99.  I know this is a different issue.

         

        I'm just wondering why an admin posts about an open issue seven days after it was supposedly fixed in firmware v1.0.5.70 firmware.  This makes me believe the posted vulnerability was not fixed yet.

        It looks like this indicates it was fixed in v1.0.5.70: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability

         

        Please unfreeze and close the original post I referred to since this misleads us (or at least me) that the issue is still an open one.

         

        Thanks.

         

  • AVJohnnie's avatar
    AVJohnnie
    Tutor
    Feb 01, 2017
    JamesGL wrote:

    Hi DoctorX,

     

    Web GUI Password Recovery has been addressed already. You may check the article below.

     

    http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability?cid=wmt_netgear_organic

     

     

    And what about those of us with the dubious honor of owning E.O.L. (aka, officially abandoned) Netgear devices such as the 1st rev. NightHawk R7500 (EOLed 12 months after inital release) --- So what of us? Are we collectively shoe-horned under the KB30632 (C.Y.A.) section jargon: "If your affected product does not have a firmware fix available, NETGEAR strongly recommends that you follow this workaround procedure to remediate the vulnerability" --- and once again Netgear's customer abandonment leaves us never really knowing if our devices were or were not, vulnerable? Because Netgear prefers not to "talk publicly" about matters they deem to be potentially embarrassing...

     

    It's getting harder and harder to justify continuance at being a Netgear customer...

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      Feb 01, 2017
      AVJohnnie wrote:
      ... NightHawk R7500 ...

      That's not on the list at all, and isn't in the NIST CVE record either.  Are you sure it's affected by this particular vulnerability?

      • AVJohnnie's avatar
        AVJohnnie
        Tutor
        Feb 02, 2017
        StephenB wrote:
        AVJohnnie wrote:
        ... NightHawk R7500 ...

        That's not on the list at all, and isn't in the NIST CVE record either.  Are you sure it's affected by this particular vulnerability?

        Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo of being unknowingly adrift ... and thereby potentially perpetuating the very problems they claim to be guarding the “Wide Net” against.