Orbi WiFi 7 RBE973
Reply

Re: Web GUI Password Recovery Vulnerability?

DoctorX
Guide

Web GUI Password Recovery Vulnerability?

Back in June a security vulnerability was disclosed:

 

Web GUI Password Recovery and Exposure Security Vulnerability

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Web-GUI-Password-Recovery-and-Exposure-Secur...

 

It didn't seem to be addressed even in the most recent firmware release, v1.0.7.6_1.1.99,  which fixed the vulnerability disclosed in Security Advisory VU 582384.

Is there any update on this?

 

Thanks!

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 15

Accepted Solutions
JamesGL
Master

Re: Web GUI Password Recovery Vulnerability?

Hi, DoctorX,

 

The post has been unfreeze.

View solution in original post

Message 7 of 15

All Replies
JamesGL
Master

Re: Web GUI Password Recovery Vulnerability?

Hi DoctorX,

 

Web GUI Password Recovery has been addressed already. You may check the article below.

 

http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability?cid=wmt_ne...

 

 

Message 2 of 15
DoctorX
Guide

Re: Web GUI Password Recovery Vulnerability?

Is that the same vulnerability?

 

The reason I ask is that the 1.0.5.70 firmware is dated 06/02/2016 and was released on 06/15/2016.

The (frozen) post by ChristineT (admin) describing the unresolved issue was posted on 06/22/2016.

 

If its the same issue can the original post be unfrozen and updated?

Message 3 of 15
JamesGL
Master

Re: Web GUI Password Recovery Vulnerability?

Hi DoctorX,

 

The recent report about vulnerability is different from the Web GUI password Recovery Vulnerability. Both issues has been addressed already.

 

Message 4 of 15
DoctorX
Guide

Re: Web GUI Password Recovery Vulnerability?

I'm not referring to VU 582384 resolved in firmware v1.0.7.6_1.1.99.  I know this is a different issue.

 

I'm just wondering why an admin posts about an open issue seven days after it was supposedly fixed in firmware v1.0.5.70 firmware.  This makes me believe the posted vulnerability was not fixed yet.

It looks like this indicates it was fixed in v1.0.5.70: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability

 

Please unfreeze and close the original post I referred to since this misleads us (or at least me) that the issue is still an open one.

 

Thanks.

 

Message 5 of 15
JamesGL
Master

Re: Web GUI Password Recovery Vulnerability?

Hi, DoctorX,

 

We will check on the post that you were referring and unfreeze it.

 

 

Message 6 of 15
JamesGL
Master

Re: Web GUI Password Recovery Vulnerability?

Hi, DoctorX,

 

The post has been unfreeze.

Message 7 of 15
AVJohnnie
Tutor

Re: Web GUI Password Recovery Vulnerability?


@JamesGL wrote:

Hi DoctorX,

 

Web GUI Password Recovery has been addressed already. You may check the article below.

 

http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability?cid=wmt_ne...

 

 


And what about those of us with the dubious honor of owning E.O.L. (aka, officially abandoned) Netgear devices such as the 1st rev. NightHawk R7500 (EOLed 12 months after inital release) --- So what of us? Are we collectively shoe-horned under the KB30632 (C.Y.A.) section jargon: "If your affected product does not have a firmware fix available, NETGEAR strongly recommends that you follow this workaround procedure to remediate the vulnerability" --- and once again Netgear's customer abandonment leaves us never really knowing if our devices were or were not, vulnerable? Because Netgear prefers not to "talk publicly" about matters they deem to be potentially embarrassing...

 

It's getting harder and harder to justify continuance at being a Netgear customer...

Message 8 of 15
StephenB
Guru

Re: Web GUI Password Recovery Vulnerability?


@AVJohnnie wrote:
... NightHawk R7500 ...

That's not on the list at all, and isn't in the NIST CVE record either.  Are you sure it's affected by this particular vulnerability?

Message 9 of 15
AVJohnnie
Tutor

Re: Web GUI Password Recovery Vulnerability?


@StephenB wrote:

@AVJohnnie wrote:
... NightHawk R7500 ...

That's not on the list at all, and isn't in the NIST CVE record either.  Are you sure it's affected by this particular vulnerability?


Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo of being unknowingly adrift ... and thereby potentially perpetuating the very problems they claim to be guarding the “Wide Net” against.

 

Model: R7500|Nighthawk X4 AC2350 Smart WiFi Router
Message 10 of 15
StephenB
Guru

Re: Web GUI Password Recovery Vulnerability?


@AVJohnnie wrote:

@StephenB wrote:

@AVJohnnie wrote:
... NightHawk R7500 ...

That's not on the list at all, and isn't in the NIST CVE record either.  Are you sure it's affected by this particular vulnerability?


Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo...

 


The only device on the good list is the V6510.  It would be reassuring if that list was more extensive.  There are two bad lists - one with fixes, one without fixes. There are EOL routers included (the WNDR4000 being one).  So Netgear hasn't ignored that category.

 

The R7500 isn't on the official EOL list btw - which is here: https://www.netgear.com/landing/eol.aspx

Message 11 of 15
AVJohnnie
Tutor

Re: Web GUI Password Recovery Vulnerability?


@StephenB wrote:

@AVJohnnie wrote:

@StephenB wrote:

@AVJohnnie wrote:
... NightHawk R7500 ...

That's not on the list at all, and isn't in the NIST CVE record either.  Are you sure it's affected by this particular vulnerability?


Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo...

 


The only device on the good list is the V6510.  It would be reassuring if that list was more extensive.  There are two bad lists - one with fixes, one without fixes. There are EOL routers included (the WNDR4000 being one).  So Netgear hasn't ignored that category.

 

The R7500 isn't on the official EOL list btw - which is here: https://www.netgear.com/landing/eol.aspx


To the contrary, R7500 initial release is EOL - R7500v2 is not (yet) EOL, per Netgear Support website:

https://www.netgear.com/support/product/r7500#download

 

Message 12 of 15
StephenB
Guru

Re: Web GUI Password Recovery Vulnerability?


AVJohnnie wrote:

https://www.netgear.com/support/product/r7500#download

 


7500 initial release is EOL - R7500v2 is not (yet) EOL, per Netgear Support website:

Netgear needs to sync their lists then.

Message 13 of 15
AVJohnnie
Tutor

Re: Web GUI Password Recovery Vulnerability?


@StephenB wrote:
Netgear needs to sync their lists then.

Agreed - And when taken in light of the fact that for customers such as myself, with the knowledge that this version is one that Netgear would like to disavow having ever been "suckered" into producing (due to its inclusion of certain "Quantenna components"), well - let's just say that their support actions for it (meager as they've been) are all rather suspect ...

 

Message 14 of 15
AVJohnnie
Tutor

Re: Web GUI Password Recovery Vulnerability?

To further characterize and more precisely typify my meaning on all this, the R7500 (at its initial release) was touted by Netgear marketing as having full MU-MIMO capability to be later implemented via a soon-to-be-forthcoming automatic-delevered FW update. That marketing promise was never fulfilled on the earlier (v1) devices – it only happened on the v2 devices… So - How can this in way be construed as being anything other than an outright, bald-faced lie coupled with an exemplary case of both product & customer abandonment on the part of Netgear?

 

Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 6056 views
  • 1 kudo
  • 4 in conversation
Announcements

Orbi 770 Series