RBS40: Whoops! Netgear Armor says my Netgear Orbi has a security vulnerability

Actually this is the lasted version of FW:

https://community.netgear.com/t5/Orbi/RBR50-RBS50-Firmware-2-5-1-16-Update/m-p/1897955/highlight/tru...

I would post about this over in the Armor forum please:

https://community.netgear.com/t5/NETGEAR-Armor/bd-p/en-home-armor

Thank you. 

This may just be warning you that your Orbi router admin website, http://orbilogin.com/index.htm, is not using HTTPS and your router password is therefore not being transferred encrypted.  I personally don't think this is a serious security vulnerability, since this is only accessible from within your home network.  You have more serious problems if there are attackers on your home network than discovering your Orbi admin wesbite login and password.

---

@markvauxhall wrote:

Any advice? Feels a bit... embarassing for one Netgear product to tell me that another Netgear product is insecure, and for there not to be a fix in place. 

---

Others have pointed out the situation with Netgear routers using "http" for the LAN side web interface.  There are similar problems when using the "https" web interface (Self-Signed SSL Certificate).  "Embarassing" is a good word for it.

@FURRYe38 wrote:

Actually this is the lasted version of FW:

https://community.netgear.com/t5/Orbi/RBR50-RBS50-Firmware-2-5-1-16-Update/m-p/1897955/highlight/tru...

 

I would post about this over in the Armor forum please:

https://community.netgear.com/t5/NETGEAR-Armor/bd-p/en-home-armor

Thank you. 

---

Thanks! Oddly when I go to my router admin console it tells me there are no new FW versions (image attached) - but can clearly see in your link an updated version number. Assume I'll have to do a manual update?

Again, frankly it feels a bit embarrassing for Netgear that the router can't even tell me there's a new firmware version out.

Not clear why this is more relevant for the Armor forum if it's a vulnerability on the router?

Yes, minor versions of FW may not appear in the RBRs web page or Orbi app. So for minor versions, like v16, users can manually download and manually install the files. This is normal and not a bug. RBS first, then RBR lastly. 

Any and all Armor questions problems and information is handled in the Armor forum where thats all related. 

Good Luck. 

---

@markvauxhall wrote:

Again, frankly it feels a bit embarrassing for Netgear that the router can't even tell me there's a new firmware version out.

This is an issue that Netgear "can't win"

• When Orbi first came out, Netgear silently pushed firmware updates, and people were frustrated (and angry) when the updates caused their Orbi's to not work correctly.
• So, Netgear began advertising "New Firmware" (even sending out emails to users).  But, some of these releases also had bad side-effects.
• Now, Netgear releases new firmware on the Support web site and users can download and install it if they want to.  Thus, if something goes wrong, "it's their fault."
• There is a lurking promise that at some unknown time in the future, Netgear will product a firmware update that is urgent. Maybe they will push it silently.  Maybe they will announce it on the "app" and web interface.  Maybe they will do something else.

Embarassing is a good description.

Not clear why this is more relevant for the Armor forum if it's a vulnerability on the router?

The reason to post in the Armor forum is because this is an issue of "one hand not knowing what the other is doing." How can Netgear's Armor product not know that Netgear's web interface is a well-known problem with no obvious solution?  Can't the error message point out that Armor at least knows that "the software provider" (Netgear) has no updated firmware?

---

I am one of the users who mentioned this issue more than a year ago.  Orbi already supports an httpS (encrypted) version of the web interface.  Why they don't just disable the http version is beyond me.

Probably won't disable HTTP for backwards comaptibility. Plenty of other router mfrs that still use HTTP on there router pages. Again, using HTTP on the LAN side isn't a vulnerability on the LAN side. Only would be if you had a house hold member trying to do nefarious things on the LAN side. 

Hello @markvauxhall, 

Welcome to the community! May you send me a private message with your email address along with the serial numbers of your RBR40 and the RBS40 that is being flagged as a vulnerability. 

Thanks,

Christian