× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Top Contributors

Patch for Krack Vulnerability

ALL FIRMWARE should be updated. More info: https://betanews.com/2017/10/16/krack-wpa2-security-vulnerability/

36 Comments
YakNack
Novice

Need a patch for R6220 and wnr2000v3

 

This vunerability was first disclosed to manufacturers by the researcher in mid July,

CERT sent notifications on Aug 28th, and ICASI sent notifications to members on Sep 12th. 

I'm hoping that Netgear decides to provide patches for more than just the following gear:

 

Netgear: WAC120, WAC505/WAC510, WAC720/730, WN604, WNAP210v2, WNAP320, WNDAP350, WNDAP620, WNDAP660, WND930

 

https://papers.mathyvanhoef.com/ccs2017.pdf

mdgm-ntgr
NETGEAR Employee Retired

NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II).  NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.

 

NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.

 

To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page.

leogrange
Novice

"pro-active" or "re-active" as you prefer...

Netgear has to patch and fix for all products as soon as possible.

A foundamenta belief in my home is use WiFi, when can I use my DGND3700v2 with KRACK fixing patch???

 

L

larryh272
Onlooker
From what I've read on multiple sites an agreement was made with all vendors and CERT not to publicly announce this WPA 2 Security Vulnerability until Monday at 08:00 EST. After reading the news Monday morning where I got my first report of the vulnerability I checked the NETGEAR website for a notice. Nothing was posted... I read your notice this morning. Thanks, great job but it should have been posted yesterday morning. After the Equifax Breach mine and others sensitivity to vendors policies such as ' NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released.' might not meet our financial needs or best interests. I can always shut your equipment off until you can define the vulnerability and create a fix.
CharAp
Follower

My D7000 is offering me a firmware update to V1.0.1.50 should I and is that the Krack fix? It's decribed as [Enhancement] Security enhancement.

 

 

r_steer
Novice
Does R7000 Firmware Version 1.0.9.12 address the KRACK vulnerability? What about Universal PnP vulnerabilities? Thanks.
r_steer
Novice
Answered my own question -- R7000 Firmware Version 1.0.9.12 DOES NOT address the KRACK vulnerability. No newer version of the firmware is currently available. See: https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-... That page simply says the "Netgear is aware of the vulnerability", and then they try to play down its significance. They make no statement about providing patches. Very disappointing -- maybe time to upgrade to a brand that has patched this.
tacoFeline
Apprentice

Netgear isn't offering patches for a load of vulnerable devices, and I'm still trying to get a support/lifecycle policy out of them. There are also other known vulnerabilities with other products, which they have not addressed.

Note that Netgear is mostly ignoring CERT: http://www.kb.cert.org/vuls/id/CHEU-AQNMYE

They also seem to have disabled all or all but one thread using the word "KRACK" as search terms.

I'm unsure if they care about consumers, but getting the word out to businesses that Netgear is horrible on security might be a wake-up call for them.

WHERE ARE OUR SECURITY PATCHES?

 

IS NETGEAR CONTENT TO TAKE THE MONEY AND RUN?!?!?!

 

TIME TO GET THE WORD OUT ON FACEBOOK, TWITTER, INSTAGRAM, ETC...

  • R7000 running firmware version 1.0.9.12 or earlier  - HOW ABOUT AN UPDATE ALREADY? TEN DAYS NOT LONG ENOUGH FOR YA?  😞