Re: Two leading Netgear routers are vulnerable to a severe security flaw

---

@michaelkenward wrote:

---

@Gandolph wrote:

Netgear has had since August to address this issue and has done nothing.

How do you know that? It would be interesting to have evidence.

---

We've updated the solution to this thread with more information. I hope that clarifies it.

@michaelkenward wrote:

The list has been updated to include more models, including the D6400.

 

---

Yes. For the latest information it's best to view the advisory.

Michael,

  How do we know that Netgear received notice of the vulnerability 4 months prior to the public announcement by the person who found it?  We read the news.  I would expect that you would be keeping abreast of the news regarding this issue since you are moderating the forum on this issue...

---

@climb74 wrote:

Michael,

  How do we know that Netgear received notice of the vulnerability 4 months prior to the public announcement by the person who found it?

 

That is not what I asked.

Let's make it simpler.

How do you know that Netgear has done nothing about it?

Here's where the 4 month figure comes from:

Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."

https://mobile.slashdot.org/story/16/12/11/1832234/vulnerability-prompts-warning-stop-using-netgear-...

---

@michaelkenward wrote:

---

@climb74 wrote:

Michael,

  How do we know that Netgear received notice of the vulnerability 4 months prior to the public announcement by the person who found it?

 

 

That is not what I asked.

 

Let's make it simpler.

 

How do you know that Netgear has done nothing about it?

 

 

---

From the "Solution" linked to the 1st msg in his thread ..

I quote:

**** UPDATE from NETGEAR - Added by ChristineT on 12/13/16 at 2:15 PM PST ****

NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page.  We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.  When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner.

This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

After NETGEAR had actual knowledge of the security risk on Friday, our engineers began working quickly to address it. NETGEAR has now updated the Knowledge Base article related to the recently discovered Security Vulnerability #582384, which has been reported to affect at least three NETGEAR routers – R7000, R6400 and R8000. This vulnerability puts a network at risk by allowing for unauthenticated web pages to pass the command-line interface leaving open the potential for arbitrary command execution by remote attack.

---

@Inolvidable_ wrote:
I am not in the "never Netgear again" camp. I think they made a mistake this time and I hope they learn from it.

I go along with that, especially as there are similar reports for other hardware makers, but I am also not in the camp that makes assumptions.

For example, your suggestion that:

---

@Inolvidable_ wrote:
Netgear has done nothing - Netgear was working on it as a low priority issue

may be true, but without evidence it is an assumption. There are many other possible scenarios. (The person who found the problem contacted the wrong people at Netgear, for example) That is why I asked for evidence that Netgear had done nothing.

Next thing you will be telling me that there is evidence that the Russians tried to influence with the US election.

Truthiness.... the quality of seeming or being felt to be true, even if not necessarily true.

@michaelkenward

Next thing you will be telling me that there is evidence that the Russians tried to influence with the US election.

😉

---

@michaelkenward wrote:

---

@Inolvidable_ wrote:
I am not in the "never Netgear again" camp. I think they made a mistake this time and I hope they learn from it.

---

 

I go along with that, especially as there are similar reports for other hardware makers, but I am also not in the camp that makes assumptions.

 

For example, your suggestion that:

---

@Inolvidable_ wrote:
Netgear has done nothing - Netgear was working on it as a low priority issue

---

may be true, but without evidence it is an assumption. There are many other possible scenarios. (The person who found the problem contacted the wrong people at Netgear, for example) That is why I asked for evidence that Netgear had done nothing.

 

---

 I think you have a point but you are not fair at the same time. We can go as deep as we want with the granularity of the expression "make assumptions". Experimental sciences "make assumptions" every day about cause-effect relations in absence of mathematical evidence. Even with mathematical evidence, Kurt Gödel proved in 1931 through his incompleteness theorems that complete and consistent set of axioms for all mathematic is impossible. In other words, there are mathematical expressions that can not be proved to be true.

In this particular case you have a point because there are other possible scenarios, but I think you are not fair because (in my view) the probability of this other scenarios are way way lower than the most probable one. Of course I am not backing this "probability" with mathematics but with common sense which is subjective, so yours is as good as mine. On the other hand it is not that easy to make a probability function of this particular matter and we can not totally trust on maths anyway, so we need to think of a way to reach a consensus.  I will accept that common sense is what the majority vote in a poll for example, so we can reach an agreement.

Ooor... we could just have payed attention to @alokeprasad who proves the whole thing. But Where is the fun in that?  

Netgear has fessed up to Tom's Hardware:

"This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday, December 9th, when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process. "

http://www.tomshardware.com/news/netgear-responds-security-issue-routers,33199.html

I alwasy love updates that require resetting ALL settings before doing the update.  anyone have any tips for how to capture all the settings that are changed to make it easier to re-populate?

I have so many IP assignments, port forwarding, QOS, etc.. PIA for sure

---

@tivoboy wrote:

I alwasy love updates that require resetting ALL settings before doing the update.

 

---

Neat, isn't it?

Remember, these requirements are often "advisory".The "factory reset" thing depends on the severity of the changes that the firmware has inflicted on your hardware.

You can try other ways of doing it.

Here's my strategy, developed after beta testing various bits of kit:

• save (backup) settings
• flash firmware

If that works and you see no problems, great. If not, and something doesn't work, you may have to reset the device to the default settings:

• save (backup) settings
• flash firmware
• set to factory settings
• retrieve settings from backup

If that works and you see no problems, problem fixed! If not:

• save (backup) settings
• flash firmware
• set to factory settings.
• reconfigure everything

If that fails, then I fear that you may have to flash back to earlier firmware.

In this case, run the vulnerability test to check if the thing is fixed and if you need to go through the factory reset.

What a grand opportunity for Netgear right now!

They are responding and appear to be taking a sound and responsible approach .... these things always take longer than the least anxious person expects ...

And the grand opportunity is to ensure the community is well served .... and to ensure the issues don't impact business materially .... time to think about dropping warranty limits and forgetting service revenues to make sure the community is well served and the vulnerabilities are expunged ... even on models and products, such as range extenders, which are not yet proven to be affected ....

What a grand opportunity!

Save (and restore) settings from the settings-backup file

Take pictures of the important screens (the old-fashioned way of backing up).

---

@ChrisNoonan wrote:

 

And the grand opportunity is to ensure the community is well served .... 

---

We have striven to keep the community up to date on our investigation.

@ChrisNoonan wrote:

 time to think about dropping warranty limits and forgetting service revenues to make sure the community is well served and the vulnerabilities are expunged ... even on models and products, such as range extenders, which are not yet proven to be affected ....

Hardware warranty applies to hardware, software warranty applies to software issues, but when it comes to security we have a process described on our NETGEAR Product Security Advisory page for reporting what you consider to be a security issue. When emailing us as per those instructions the warranty status of your device is irrelevant.

Good to know the policy points ..... and a chance for all of us to think beyond the policy ...

For anyone who hasn't see it, there is new firmware for the D6400.

It installs just fine and seems to have slammed the backdoor.

I did not reset to factory defaults, but it appears to be working as expected.

Yup new firmware for D6400 fixes it, thx for the quick fix.

No third party FW is faster than stock FW. Only if you are looking for additional feature 3rd party is the right way. I tested all 3rd party FW so far, no one excluded and I did not get any faster Wi-Fi speed.

@Wolf_666 Oh, My 2.4G connection dramatically improved with XWRT. 

@GinaGerson I am glad for you.

I had several Netgear Routers, I have been starting modding with 3rd FW since my WNRD3700 and I did not ever seen any real improvement (misured with some LAN tools) in speed, expecially 5Ghz. The reason is because most of those FW use outdated drivers that are not optimized for that specific model. The community mostly agrees that stock FW, in general, offers better speeds but drammatically lacks features that 3rd party FW offers. Personally I am a big fan of OpenWRT (not usable for R7000) and DD-WRT (Kong's build).

My final advise is to test, each home environment has specific needs and, could happen, that som 3rd party FW outperforms stock FW.

I remain concerned about the security of my r8500 router. From what I can tell it is vulnerable to the VU#582384 (arbitrary command injection) vulnerability. But Netgear does not acknowledge the problem even though it lists other routers as being subject to the same vulnerability. 

After following the test provided in the Bas post ( http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ ) I determined that my Netgear r8500 router is subhnect to the CERT VU#582384 vulnerability. This is despite the fact that the Netgear page that lists what Netgear claims are the affected routers does not include the r8500. See http://kb.netgear.com/000036386/CVE-2016-582384. 

Moreover, there are posts on this Netgear Community site, apparently blessed by Netgear personnel, suggesting that this router is not subject to this vulnerability. See message from "Netgear Moderator mdgm" at http://community.netgear.com/t5/Nighthawk-WiFi-Routers/Is-R8500-affected-by-new-vulnerability/m-p/11.... Unless the Bas test is faulty (and there is no reason to believe so), this appears to be false. Does this "Netgear moderator" work for Netgear? If a Netgear representative has implied that the r8500 isn't affected by the vulnerability when actually it is (he/she said "I believe it isn't affected. It iisn't on the list ...") this could cause users that rely on this guidance to be harmed, because r8500 users that rely on the advice by the Netgear moderator could be victimized by hackers that exploit the vulnerability. 

I do not understand why Netgear has failed to acknowledge this issue (or to take steps to rectify it) on the r8500. Has Netgear tested this router for this vulnerability? Does Netgear dispute that the problem exists with the r8500? Does Netgear dispute the Bas methodology for exposing the vulnerability?  Thr fact that the CMU Vulnerability Notes Database does not list the r8500 (see https://www.kb.cert.org/vuls/id/582384) does not explain this. While it is hard to tell, it looks like the CMU group relied on Netgear's list of affected routers.

Most importantly -- When will there be a firmware upgrade to rectify this situation on the r8500 router? I spent more than $400 on this router, and am beginning to regret that decision.

Bob