- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Web GUI Password Recovery Vulnerability?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Back in June a security vulnerability was disclosed:
Web GUI Password Recovery and Exposure Security Vulnerability
It didn't seem to be addressed even in the most recent firmware release, v1.0.7.6_1.1.99, which fixed the vulnerability disclosed in Security Advisory VU 582384.
Is there any update on this?
Thanks!
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
Hi DoctorX,
Web GUI Password Recovery has been addressed already. You may check the article below.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
Is that the same vulnerability?
The reason I ask is that the 1.0.5.70 firmware is dated 06/02/2016 and was released on 06/15/2016.
The (frozen) post by ChristineT (admin) describing the unresolved issue was posted on 06/22/2016.
If its the same issue can the original post be unfrozen and updated?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
Hi DoctorX,
The recent report about vulnerability is different from the Web GUI password Recovery Vulnerability. Both issues has been addressed already.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
I'm not referring to VU 582384 resolved in firmware v1.0.7.6_1.1.99. I know this is a different issue.
I'm just wondering why an admin posts about an open issue seven days after it was supposedly fixed in firmware v1.0.5.70 firmware. This makes me believe the posted vulnerability was not fixed yet.
It looks like this indicates it was fixed in v1.0.5.70: http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
Please unfreeze and close the original post I referred to since this misleads us (or at least me) that the issue is still an open one.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
Hi, DoctorX,
We will check on the post that you were referring and unfreeze it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
@JamesGL wrote:Hi DoctorX,
Web GUI Password Recovery has been addressed already. You may check the article below.
And what about those of us with the dubious honor of owning E.O.L. (aka, officially abandoned) Netgear devices such as the 1st rev. NightHawk R7500 (EOLed 12 months after inital release) --- So what of us? Are we collectively shoe-horned under the KB30632 (C.Y.A.) section jargon: "If your affected product does not have a firmware fix available, NETGEAR strongly recommends that you follow this workaround procedure to remediate the vulnerability" --- and once again Netgear's customer abandonment leaves us never really knowing if our devices were or were not, vulnerable? Because Netgear prefers not to "talk publicly" about matters they deem to be potentially embarrassing...
It's getting harder and harder to justify continuance at being a Netgear customer...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
@AVJohnnie wrote:
... NightHawk R7500 ...
That's not on the list at all, and isn't in the NIST CVE record either. Are you sure it's affected by this particular vulnerability?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
@StephenB wrote:
@AVJohnnie wrote:
... NightHawk R7500 ...That's not on the list at all, and isn't in the NIST CVE record either. Are you sure it's affected by this particular vulnerability?
Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo of being unknowingly adrift ... and thereby potentially perpetuating the very problems they claim to be guarding the “Wide Net” against.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
@AVJohnnie wrote:
@StephenB wrote:
@AVJohnnie wrote:
... NightHawk R7500 ...That's not on the list at all, and isn't in the NIST CVE record either. Are you sure it's affected by this particular vulnerability?
Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo...
The only device on the good list is the V6510. It would be reassuring if that list was more extensive. There are two bad lists - one with fixes, one without fixes. There are EOL routers included (the WNDR4000 being one). So Netgear hasn't ignored that category.
The R7500 isn't on the official EOL list btw - which is here: https://www.netgear.com/landing/eol.aspx
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
@StephenB wrote:
@AVJohnnie wrote:
@StephenB wrote:
@AVJohnnie wrote:
... NightHawk R7500 ...That's not on the list at all, and isn't in the NIST CVE record either. Are you sure it's affected by this particular vulnerability?
Precisely my point - it's on neither list, good or bad. Netgear once again chooses to leave owners of their EOLed devices in the limbo...
The only device on the good list is the V6510. It would be reassuring if that list was more extensive. There are two bad lists - one with fixes, one without fixes. There are EOL routers included (the WNDR4000 being one). So Netgear hasn't ignored that category.
The R7500 isn't on the official EOL list btw - which is here: https://www.netgear.com/landing/eol.aspx
To the contrary, R7500 initial release is EOL - R7500v2 is not (yet) EOL, per Netgear Support website:
https://www.netgear.com/support/product/r7500#download
- Model / Version: R7500
- Select a different version
- End of Life (Service Unavailable)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
AVJohnnie wrote:https://www.netgear.com/support/product/r7500#download
- Model / Version: R7500
- Select a different version
- End of Life (Service Unavailable)
7500 initial release is EOL - R7500v2 is not (yet) EOL, per Netgear Support website:
Netgear needs to sync their lists then.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
@StephenB wrote:
Netgear needs to sync their lists then.
Agreed - And when taken in light of the fact that for customers such as myself, with the knowledge that this version is one that Netgear would like to disavow having ever been "suckered" into producing (due to its inclusion of certain "Quantenna components"), well - let's just say that their support actions for it (meager as they've been) are all rather suspect ...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Web GUI Password Recovery Vulnerability?
To further characterize and more precisely typify my meaning on all this, the R7500 (at its initial release) was touted by Netgear marketing as having full MU-MIMO capability to be later implemented via a soon-to-be-forthcoming automatic-delevered FW update. That marketing promise was never fulfilled on the earlier (v1) devices – it only happened on the v2 devices… So - How can this in way be construed as being anything other than an outright, bald-faced lie coupled with an exemplary case of both product & customer abandonment on the part of Netgear?
• Introducing NETGEAR WiFi 7 Orbi 770 Series and Nighthawk RS300
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more