Orbi WiFi 7 RBE973
Reply

NETGEAR Routers and CVE-2016-582384 security vulnerability

loppnow
Aspirant

Re: Firmware 1.0.7.6

I'm not sure what I did, but it did not reset to the default name & password.  It created a fairly long arbitrary Wireless Network Key (password), and named the Wireless Network Name:  NETGEAR21

 

I'm just trying to make sure I haven't been hacked or something

Message 176 of 234
IrvSp
Master

Re: Firmware 1.0.7.6

I wouldn't think you were hacked, but you never know? If the SSID and Passphrase matches what was on your label for them on the bottom of the router, you probably were not. Somehow a RESET was performed. Maybe the code does that IF you are updating from and OLD F/W? All I can say I have NEVER seen this happen without me physically resetting the router, but I usually do upgrade with almost every NEW flash and will RESET and re-enter my settings almost every time.

 

If someone wanted too or had hacked into your router you would think the USERID and P/W would have been changed so you couldn't get in and see what was going on. The FIX was for a specific problem and I have NOT seen any report of any web site that implemented the problem code. Even then I personally am not sure what they could do but there are possibilities that could be done that could cause hacks into your LAN and access attached devices.

Message 177 of 234
loppnow
Aspirant

Re: Firmware 1.0.7.6

It looks like you were right.  It did reset to the original SSID and Passphrase that was on the unit when I got it.

 

Thanks !

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 178 of 234
NotHome
Aspirant

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Talking about the routers R7000. I don't subscribe to every chat board for every piece of electronics I buy but my units are registered, so I would have hoped to recieve some kind of notice from Netgear. I just heard about this being a problem.

Message 179 of 234

Re: Two leading Netgear routers are vulnerable to a severe security flaw

My alert arrived today.

 

Netgear seems to be sending them out when the firmware emerges from beta testing. This seems to have happened in the past day or two.

 

This means that it should have arrived on the main server so you may be able to get it by telling your R7000 to look for an update.

 

I assume that you have seem this:

 

Security Advisory for VU 582384, PSV-2016-0245 | Answer | NETGEAR Support

 

 

Message 180 of 234
mdgm-ntgr
NETGEAR Employee Retired

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@hggomes wrote:

http://www.securityweek.com/remotely-exploitable-0-day-impacts-netgear-wnr2000-routers


That's a different problem affecting different routers so really should be disccused in a separate thread. We have a Security Advisory available for that.

Message 181 of 234
pjsand
Aspirant

Re: Two leading Netgear routers are vulnerable to a severe security flaw

I just attempted to complete the secruity fix for VU 582384.  Following the instructions after downloading the zip file.  I then loged into the router.  However, working through the ADVANCED TAB then the ADMINISTRATION I was not able to locate FIRMWARE UPGRADE. There was NO choice for FIRMWARE UPGRADE.

 

Has anyone else encounted this issue and if so how did you proceed to upload the security fix?

Message 182 of 234

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@pjsand wrote:

Following the instructions after downloading the zip file. 

 


 

Did you unzip the zip file?

 

You don't say which device you want to flash, but most of the firmware is now officially released. So you should be able to tell the modem/router to go get it without having to retrieve the file.

 

Sorry, I can't be more precise than that because I don't know what hardware you need to update.

 

Remember, not all Netgear devices are vulnerable to this security hole.

 

If you find the manual on the support site it will also have the instructions you need.

 

 

 

 

 

 

 

 

 

Message 183 of 234
pjsand
Aspirant

Re: Two leading Netgear routers are vulnerable to a severe security flaw

That's what was missing in their instructions.  Once I unzipped the file I could complete the fix.  Thanks for your quick response

Message 184 of 234
Kitsap
Master

Re: Two leading Netgear routers are vulnerable to a severe security flaw

The instructions with the updated firmware for the R7000 include item number 2:

 

2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.7.6_1.1.99.chk

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 185 of 234

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@Kitsap wrote:

2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.7.6_1.1.99.chk

 


 

True,  but remember that not everyone understands what extract means. Why should they?

 

Perhaps the instructions should have said "extract (unzip)".

 

These days you wonder why they zip things when they contain only one file. It isn't as if bandwidth is an issue any more.

Message 186 of 234
IrvSp
Master

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@michaelkenward wrote:

@Kitsap wrote:

2. Using the Download Link below, download and extract the new firmware to a convenient place such as your desktop. The filename after extracting is R7000-V1.0.7.6_1.1.99.chk

 


 

True,  but remember that not everyone understands what extract means. Why should they?

 

Perhaps the instructions should have said "extract (unzip)".

 

These days you wonder why they zip things when they contain only one file. It isn't as if bandwidth is an issue any more.


Well, not to insult anyone, there are other reasons for doing that (compressing the d/l file) possibly. One would be to save space on the servers. Also make it easier to handle umpteen requests as smaller files mean faster delivery for everyone. Also they probably use a single set of instructions from a template and just change the filename(s). Some might include a README file or even more than one file. Less chance of error that way.

 

As for one not know what 'extract' means, I get that. In this case one could ask or Google it, not hard to figure out? If one doesn't understand 'extract' would they understand 'unzip'?

 

If one knew how to set-up a router and the knowledge to do that they probably wouldn't be first time users of a PC either? If they do the setup of the router then someone else did? That person should have done the upgrade I would think?

 

Again, not trying to upset or insult anyone here, just my $0.02 worth on why it might be both compressed and detailed on what to do. Pjsand never mentions which Router the file was for either, and was told by you to 'unzip' the file and did that and it worked. It is possible that set of instructions is NOT in the d/l that was used?

 

I see nothing wrong with compressing d/l files (by anyone).

Message 187 of 234

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@IrvSp wrote:

Well, not to insult anyone, there are other reasons for doing that (compressing the d/l file) possibly. One would be to save space on the servers. Also make it easier to handle umpteen requests as smaller files mean faster delivery for everyone.

 

 

The compression of a firmware file is minimal. A few percent, if that. Sometimes nothing. (I've just checked a handful.) Certainly not enough to make any difference to storage space of serving multiple requests. In any case, the update server holds an uncompressed file for routers to update themselves. So Netgear has to hold two copies of the thing.

 


@IrvSp wrote:
Some might include a README file or even more than one file.

 

 

That's why I said "when they contain only one file".

 

 

Message 188 of 234
StephenB
Guru

Re: Two leading Netgear routers are vulnerable to a severe security flaw

We are getting off topic, though fortunately pjsand's problem is solved.


@michaelkenward wrote:

The compression of a firmware file is minimal.

True enough, particularly for router firmware. I think a more important advantage of the zip format is that it has a built-in integrity check. If the download is corrupted, the extraction fails.


@michaelkenward wrote:
In any case, the update server holds an uncompressed file for routers to update themselves. So Netgear has to hold two copies of the thing.

 


The update server isn't the same server as the one used for manual downloads (at least that is the case with ReadyNAS firmware).

 

 

 

Message 189 of 234

Re: Two leading Netgear routers are vulnerable to a severe security flaw

There is one other reason for using zips. It can allow files to get around some security hurdles.

 

 

Message 190 of 234
aboxofclay
Aspirant

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@netgear wrote:

We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.


 

Presumably this is meant to indicate that you receive a lot of spam on these mailboxes. I suggest providing guidelines for how you want humans to format their subject lines when contacting you about vulnerabilities. This may make it easier to differentiate between bots sending you ads for viagra and vulnerability reports.
Message 191 of 234

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@aboxofclay wrote:
Presumably this is meant to indicate that you receive a lot of spam on these mailboxes.

 

That's one way of interpreting it, but spam is easily trapped. My guess is that "numerous emails through this channel" is more likely to be loaded down with reports of false positives in AV software, or people who are just paranoid and think that every time their system falls over it is a security failure.

 

As for providing a format for submitting issues, that's a good way of encouraging the spammers.

 

It would be better to be more diligent in the first place and for Netgear to pay a bit more attention to what it does receive. I suspect that it does so now that it has seen the folly of ignoring messages.

 

 

 

 

Message 192 of 234
pjsand
Aspirant

Re: Two leading Netgear routers are vulnerable to a severe security flaw

What's important for all to remember, most of us are not IT literate and take instructions literally.  I am 60+ and most in my peer group would look for a younger friend to assist with tasks like this. Once I was told through a great response to unzip the file I could easily complete the update. It took me 3 to 4 times longer just to find this valuable site for asking & sharing ideas. Initial instructions need to factor in their audience and 90%+ of the purchasers of this type of hardware are not IT literate.  My thanks to you all for your assistance in resolving my issue....pjsand

Message 193 of 234

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@pjsand wrote:

I am 60+ and most in my peer group would look for a younger friend to assist with tasks like this.

 


 

In this case, some of the people who have been throwing around their advice, well, at least one of them, is 70+. (I can even help people with putting a ribbon in a typewriter.) But it sure is important to communicate using language that everyone can understand.

 

In the case of this firmware update, telling people how to deal with zipped files really only applied when users wanted to use the beta versions. Applying the final release didn't need that.

 

At least these days you don't need software to unzip files. The operating system does that.

 

Message 194 of 234
aboxofclay
Aspirant

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@michaelkenward wrote:

@aboxofclay wrote:
Presumably this is meant to indicate that you receive a lot of spam on these mailboxes.

 

That's one way of interpreting it, but spam is easily trapped. My guess is that "numerous emails through this channel" is more likely to be loaded down with reports of false positives in AV software, or people who are just paranoid and think that every time their system falls over it is a security failure.

 

As for providing a format for submitting issues, that's a good way of encouraging the spammers.

 

It would be better to be more diligent in the first place and for Netgear to pay a bit more attention to what it does receive. I suspect that it does so now that it has seen the folly of ignoring messages.

 

 

 

 


Spammers (as opposed to spear phishers) aren't going to bother customizing their messages for a mailbox their bot has scraped off the web. However, a consistently formatted subject line will make it easier for a human to recognize a potential problem report. Agreed on the need for increased diligence though.
Message 195 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

@aboxofclay, I am sort of confused over this string of messages you've seemed to have started within this thread on 1/6?

 

Was this a returned e-mail to you from Netgear after you reported a problem to them? I can find nothing in the thread like this?

 

As for SPAM reaching them, it is really a double edged sword. Depending on SPAM filters some will get through, and conversely some that are not SPAM will be discarded.

 

Yes, there are ways to defeat this, forms to be filled out (although robots can get around this too) but that means a browser must be used to submit reports. Otherwise 'normal' emails are free form and unless there were specific information within the product documentation in the box that  detailed what was required one wouldn't know it (or even forget to look at the documentation before sending off an email). On top of that NG support is only for 90 days. I bet that 'channel' gets a lot of email for h/w OUT OF WARRANTY as well.

 

So how did you get that 'message' and what did you do about it?

Message 196 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Like I previously stated here:

 

https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnera...

 

Netgear FW code should definitily be audit, vulnerabilities news on Netgear almost everyday now:

 

 

https://www.engadget.com/2017/01/31/more-netgear-wifi-router-vulnerabilities/

 

http://www.theregister.co.uk/2017/01/31/major_security_hole_in_netgear_routers/

 

 

Definitily something to have in mind before getting a Netgear product.

 

ElaineM: Now you can understand my previously concerns about Netgear vulnerabilities?

 

Obviously this was something that could be avoided if Netgear could listen more to the people reporting these kind of issues, instead keeping things just like they are, I'm really sorry things have reach this point.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 197 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

You did read part of the Engadget link fully right?

 

=======

The good news? Netgear has been diligent about patching the security hole. As of the report, 19 models (plus a cable modem) already have firmware updates that will fix the flaws.

=======

 

The link above in the part I copied was to "Web GUI Password Recovery and Exposure Security Vulnerability" which was updated on 1/27/17 before your links were created.

 

To me it seems they did 'listen' and did take pro-active action?

 

Message 198 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Well, that's your opinion about it, I can respect that.

 

 

They have listen it too late now that Netgear is on all front pages for the worst motives, this point could be avoided with back then actions, check how much time it took for them to simply upgrade a OpenSSL version:

 

https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnera...

 

 

Now they are simply forced to quick fix things in order to not stain Netgear's name even more.

 

Message 199 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?

 

When something gets reported to them the first thing that needs to be done is verify it is a real threat. Determine the scope of it too. Then formulate a fix, for every instance of that, and then create and test the fix, run QA (ensure it didn't cause regressions, that is break something else), and finally release it.

 

Note the date the page I referenced was updated last, 1/27 (don't know prior update date nor content change though), and the dates of the URL references you posted. Those were release a few days AFTER NG made the page update.

 

Also note the list of routers on that NG page. I can only speak for the R7000, but its last F/W release (which according to the LINK says it was fixed on the R7000) was on 12/16/2016. So over 1 1/2 months ago the R7000 had that vulnerability fixed.

 

To me that makes your argument sort of weak.

 

But let us switch gears here. What about MicroSoft? Many more vulnerabilities affecting many more systems. Do they cover them all INSTANTLY? Nope, they take time to get them out. They also do NOT announce the full extent of most of the vulnerabilities either so they are not publically known so 'bad guys' can make use of them.

 

Even with NG making the fixes, just what percentage of all NG Routers do you think will first of all update the firmware or make suggested protection changes? I'd think a good percentage will not.

 

You can audit/read the code ALL you want. Unless you know what the 'hole' could be and how it could be exploited you may never see it. Yes, some people might, but many coders will not. That is why exploits exist. It is a 'fact' of software coding.

 

Even MS doesn't respond instantly to all threats.

 

Some MS URL's about threats:

 

https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/

Note on the above, they say UPGRADE to W10... what about older versions of the OS?

https://www.microsoft.com/security/portal/enterprise/threatreports_december_2015.aspx

https://blogs.microsoft.com/microsoftsecure/2016/09/26/modern-browsers-are-closing-the-door-on-java-...

http://www.trustedreviews.com/news/read-microsoft-s-snarky-response-to-google-uncovering-a-windows-f...

Note on the above, dated 11/2/16, but the fix will not be out until 11/8/16 and roll-out is not immediate to everyone.

https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-...

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-t...

 

By the way, most of those reference 'zero-day attacks'. Do you know what they are? Those are NEW attacks not seen before and using previously unknown holes/weaknesses in the code. No code is immune to these.

 

Doesn't Microsoft code bother you more than the router firmware code? It doesn't seem like it to me.

 

Why are you targeting NG? Others have problems too or had them:

 

http://routersecurity.org/bugs.php

Next is an OLD one but it shows NG isn't alone with problems:

http://www.pcworld.com/article/2464300/fifteen-new-vulnerabilities-reported-during-router-hacking-co...

 

I'm just trying to figure out why you think NG didn't respond and are the lone router mfgr. with these types of problems?

Message 200 of 234
Top Contributors
Discussion stats
Announcements

Orbi 770 Series