Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

sixteen59 · ‎2018-07-04

I'm wondering how it is that there can be such differences in the versions of dnsmasq in various models firmware. I have an R6400 (v1) which uses dnsmasq version 2.15 (released in 2004) in it's latest and it appears in all firmware ever released for this model. How does a router model released in 2015 get firmware compiled using such incredibily outdated source? Why do I see older models with newer versions? WTF is the dev process here? There are older routers listed that use far newer versions but I'm not sure any of Netgears use anything post 2.78 yet. In fact it seems that Netgear is actively ignoring this verified and published CVE from over half a year ago. There's another thread where a mod (who I just called out in a personal message) closed right away claiming it to be a false positive. There are other routers of other brands where ludicrous responses are given on this CVE as well. Honestly I don't care at this point if it is a false (it's not), I'm fed up with the handling and dev of firmware in general. Digging so deep into this has really exposed to me the ludicrous manner in which Netgear devs compile firmware. All open sources like dnsmasq should be based on the latest (stable) versions. I'm getting pretty PO'd about this whole thing. 20+ years a Netgear relationship as a customer and before that Bay. Maybe the real solution here is I go to dd-wrt on this particular unit. I'm surely at this point not going to be purchasing another or in my consultant capacity pushing any Netgear hardware, period.

sixteen59 · ‎2018-07-04

This is Netgears job, not those they sell to.

Squair · ‎2018-07-05

As of this response from tier2 support on June 30:

I got an update from our Engineering team and they have confirmed that the R6900P router is not affected by the DNSMasq Vulnerability.

It is easy to make the problem go away by saying there is no problem. My dnsmasq is 2.75 - Avast Vulnerability Catalogue ID CVE-2017-14491 says my 6 month old Netgear router is vulnerable. I agree that it should be a priority to use the latest updates (dnsmasq 2.78 or later) to eliminate the problem or concern.

RAJackson097 · ‎2018-07-05

My R7000 AC1900 still has DNSmasq vs 2.15. Hoping that they get this updated soon. Really bad for business to no perform updates to customer systems for a vulnerability that is over a year and a half old.

sixteen59 · ‎2018-07-06

Hoping isn't going to make it happen. We need to be on them about this nonsense. I was checking over the source for my R6400 which indicates a team "kathy", so I don't know if a "kathy" is responsible here or if it is indeed a team with kathy as leader. Whatever the case, as manufacturers of this hardware they are beholden to provide fixes to security issues. Compiling firmware from source that is 14 years old is negligent.

BRWhitecotton · ‎2018-07-08

I am at FW version V1.0.9.32_10.2.34

and I get

"dnsmasq-2.15-OpenDNS-1"

returned from a Windows 10 powershell using nslookup command.

Looked this up on CVE Details and this version of dnsmasq is circa 2005. WTH?

Come on now!

psiberfunk · ‎2018-07-10

This is embarassing, I see my router is vulnerable too at version 2.15 (R7000). Netgear, what the heck are you guys doing asleep at the wheel here ? I regularly recommend netgear routers to my clients, but i'm going to be stopping until you fix this garbage. It's been MONTHS. Do the right thing and fix this.

BRWhitecotton · ‎2018-07-11

I am finding it odd that dnsMasq 2.79 is the latest revision out there in open source land and we still have 2.15 in use in our routers. THAT is a lot of proverbial water under the old revision bridge. Since dnsMasq is open source, there should be no reason we cannot have the latest except possibly that since Netgear is a for-profit company, they are unable to use the cutting edge releases, instead, perhaps they are forced to use old code, old buggy vulnerable code in their products?! Spit-balling here but this is the only scenario that makes sense (given no other information at all) other than Netgear having say, only 3 engineers tackling 27,518 bugs across their plethora of products. Is that the case? Anyway, I like my Netgear products. I just want to see this fixed ASAP. Please Netgear engineers, fix this. Thanks!

Squair · ‎2018-07-11

Blanca,
I followed your link and searched for "avast" and no results. I see your responses about where to report security isses. We report issues based on our model numbers. With so many reports of the avast dnsmasq problem, why do you cause customers the frustration of re-posting in another forum?

If the vulnerability will not be addressed, please make a NG statement to the effect. Is it a chip issue being incompatible with a firmware solution? Let us in on the joke, so to speak.

Cafferata · ‎2018-07-14

Its still in the firmware ? why..?

Last login: Sat Jul 14 11:08:26 on console
iMac-van-ED:~ Ed$ nslookup -type=txt -class=chaos version.bind 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53

version.bind text = "dnsmasq-2.39"

htroudi · ‎2018-08-05

Exactely.....Netgear WTF!!!! TAKE CARE OF THIS NOW

BRWhitecotton · ‎2018-08-05

I am happy to report that Netgear has fixed this with the latest update applied to my router. I updated about 5 days ago (regular update push from Netgear, not by manual download method) to version V1.0.9.34_10.2.36 and now Avast does not complain about dnsmasq and nslookup reports "dnsmasq-2.78".

THANK YOU Netgear for taking care of this!!! I am sure you are tackling these issues as quickly as resources allow! Hang in there folks, help is on the way!!!

Cheers,

Brian

htroudi · ‎2018-08-13

Can anyone tell if this is fixed on Netgear R8000P?

htroudi · ‎2018-08-13

The command nslookup -type=txt -class=chaos version.bind 192.168.1.1 gives me:

version.bind text = "dnsmasq-2.75"

So am I safe?

schumaku · ‎2018-08-13

For the subject CVE-2017-14491 plus a few more items to address should be 2.78 or higher. Check http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

htroudi · ‎2018-08-15

So am I sade then??

sixteen59 · ‎2018-08-15

Safe? No. I've repeatedly challenged support who tells us that the vulnerability doesn't exist even though they're using (inexplicably) dnsmasq versions back to 14 years old and most of them are pre-2.76. They will tell me the engineers say it isn't a concern. I say then the engineers can explain HOW it's not a concern when using versions of dnsmasq that are very obviously vulnerable version. I have a R6400 as well as a number of customers that do as well, it's vulnerable. I have customers with R7000s that are vulnerable. I have customers with R7800s that are vulnerable. And on and on. I'm not sure there's a product that's not vulnerable. Netgear doesn't care. I seriously don't understand the difficult here. Just bring on new firmware releases for every product that gets dnsmasq up to date v2.78. Bottom line is they don't give a damn.

htroudi · ‎2018-08-23

WTF!!!!!!!!!!!

Netgear come on. Why are you doing this against us customers.

You used go be a respectable network product manufacturer.

What the hell happened??

Me among others truly want to know why you don't take care of such a embarrassing security issue.

Hear me : you WILL loose customers and money if you as a company won't do radical changes.

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...