Orbi WiFi 7 RBE973
Reply

Re: Web GUI Password Recovery and Exposure Security Vulnerability

JohnWDarby
Initiate

Web GUI Password Recovery and Exposure Security Vulnerability

I would like to point out to Netgear that their password recovery options are woefully insecure. I followed their advice to turn on Password Recovery but immediately aborted, Every single question can be answered by scanning my Facebook page for a few minutes. And no, it's not "save me from myself". My older sister does a lot of geneology on the family and posts everything there. I have no issues with that. She  enjoys doing it and my family likes the pictures and stories of previous generations. However first names, middle names, place born, etc. are all there.

 

I have two suggestions: a) Ability to add your own question/answer couplet and b) Some kind of 2FA.

Message 1 of 49

Accepted Solutions
JamesGL
Master

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Hi All,

 

Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.

 

http://kb.netgear.com/app/answers/detail/a_id/30632/~/web-gui-password-recovery-and-exposure-securit...

View solution in original post

Message 6 of 49

All Replies
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

THIS IS A SCAM--IGNORE IT

 

I was on the phone with Tech Support to confirm the vulnerability and was informed the current email circulating about the vulnerability did not come from Netgear and is a scam!!! I must have asked him 10 times to be certain.

 

Does Netgear's left hand know what the right hand is doing????

 

The email account from which it came has been closed.

Message 2 of 49
JohnWDarby
Initiate

Re: Web GUI Password Recovery and Exposure Security Vulnerability

That sounds believable but the original warning is posted by the Community Manager (ChristineT) on this very site: https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Web-GUI-Password-Recovery-and-Exposure-Secur... So if Support is telling you it is scam they better check employee badges because they've been infiltrated. 

Message 3 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Well the "Official" Poster may have received the email and is not invulnerable to a scam. Would be nice to get a definitive answer.

 

As you can see I have never posted here previously but registered today after speaking to Tech Support. Was shocked to see the "badges"'s: OP.

 

I am still genuinely concerned about this issue.

 

Support may be misinformed but I doubt they have been infiltrated.

 

Does The CM Monitor all threads?

Message 4 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Just saw the email contents in The Security Advisory Section.

 

Nice of them to send me an email two months after the fact.

 

Looks like someone at Tech Support doesn't know what he's talking about.

 

I have no checkbox to enable PW recovery -- any suggestions.

 

To me it sounds so counter-intuitive to plug a security vulnerablity by enabling PW recovery.

Message 5 of 49
JamesGL
Master

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Hi All,

 

Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.

 

http://kb.netgear.com/app/answers/detail/a_id/30632/~/web-gui-password-recovery-and-exposure-securit...

Message 6 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Hello 🙂

 

Thanks for the response.

 

Why did the telephone Tech Support Techie tell me the email was a scam and to ignore it?

 

Why did I not receive the alert email until two months after the vulnerability was discovered?  Does anyone in Netgear Security have a dictionary with the words  "Responsible" and "Responsibility" in it?

 

I can not perform the required fix as my GUI change PW page has no checkbox to enable password recovery.

 

Why am I going yo have to toss my $260 Netgear swiss chease "secure" box, cuz It appears to be unfixable since I have no checkbox to "enable PW Recovery"

 

Why do I have to pay $50 to extend my CS to get help to eliminate a vulnerability that was caused by a Netgear Design Flaw.

 

In Netgear's busness it can have The Best Products BUT without acting responsibly to critical security issues and without competent customer support it has nothing.

 

Send my contgratulations to the execs at Netgear for having nothing. I have posted this shocking experience on The World's most highly regarded security forum, on which I have been an active participant for a decade. It has a huge international following. After coming to this forum I cautioned that it might be incorrect as to the actual existence of the vulnerability but is correct about Netgear's apparently ignorant Customer Support, lack of responsibilty, and wothless 90 day customer help policy. Congratulate the execs. on their upcoming well-deserved %15 decline in consumer products revenues.

 

 

Message 7 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability


@hawki wrote:

THIS IS A SCAM--IGNORE IT

 

 

I was beginning to feel deprived. I haven't seen this email.

 

My first thought whenever I see one of these message is scam.

 

If I want to do anything, I go to find the official source. I certainly don't start slagging off whoever is supposed to be the source of the email.

 

After all, would you ever follow the advice in emails from your bank?

Message 8 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability


@JohnWDarby wrote:

Every single question can be answered by scanning my Facebook page for a few minutes.

 

 


 

Good point, but you could always create fake answers.

 

Then again, the sort of person who forgets passwords may also forget fake answers.

 

Message 9 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

I considered Netgear's Telephone Tech Support to be a reliable source. They told me to ignore the email because it was a scam. That was my mistake.

 

The Community Manger has confirmed that the email is valid.

 

I have no checkbox in my GUI to enable "Enable PW Recovery."

 

I received the email TWO MONTHS after the vulnerability was discovered.

Message 10 of 49
pookie525
Aspirant

Re: Web GUI Password Recovery and Exposure Security Vulnerability

The information is posted on Netgear's website here.  https://kb.netgear.com/app/answers/detail/a_id/30632  I am always wary of such things as well and always check the website first.  But, since it is posted on their website and not just in the community........However, I had to do a lot of digging to find it.  It's not like it was on the main page.  I had to look under my specific router and look under security to find it.  Of course it is nowhere to be found on Facebook or Twitter or seems to me, it should be smack dab on the front page of their website!

Message 11 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

I want to know why Netgear's Telphone Tech Support told me the email was a scam and to ignore it.

 

I want to know why the email was sent to me TWO MONTHS after the vulnerability was discovered.

 

I want to know why the "fix" is unworkable on my PC and Netgear GUI.

 

I want to know why I have to pay $50 to extend my 90 day support to get help to fix a vulnerability that was created by a Netgear Design Flaw.

 

I want to know why I was so stooopid to pay "top dollar" to buy a Netgear Product given today's experience.

Message 12 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Well researched.

 

I see that my D6400 is on the (s)hit list. But it says for firmware v1.0.0.44.

 

The release notes for the newer firmware, V1.0.0.52_1.0.52, do not promise to fix this issue.

 

All they say is:

Fixed the issue where the "Admin Password Protection" will disappear after refreshing the page.

 

This does nto seem to be the same issue.

 

So, is this fixed in the firmware? Or is the web statement wrong?

 

Message 13 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability


@hawki wrote:
I want to know why I have to pay $50 to extend my 90 day support to get help to fix a vulnerability that was created by a Netgear Design Flaw.

 

 

You don't.

 

Firmware fixes are free in perpetuity.

 

Message 14 of 49
pookie525
Aspirant

Re: Web GUI Password Recovery and Exposure Security Vulnerability

I know exactly how you feel.  I think it is revolting the way they are handling this.  Of course, they really don't care what happens to any of us in the first place.  I had a really bad experience with Netgear before dealing with their horrendous, outsourced customer service.  I swore then that I would never, ever buy another one.  I used whatever my ISP gave me until I switched and had to get my own.  I was deadset against getting a Netgear but everyone from the people at Best Buy to people online to friends and family recommened Netgear.  It was the best that I could buy they said. 

 

Not too long ago, there was another breach of some sort that I had to go in and try to fix.  I am pretty good with computers but not the greatest at networking.  Of course, customer service could not help because I the router was no longer in that magical 3 month window in which I could get some horrendous, outsourced customer service.  I would never pay them $50 to extend your warranty.  They won't help you anyway. 

 

I also don't know why it took so long to receive this email.  I got mine yesterday, however the website clearly states that it was discovered in early May? 

 

I'm sorry that I don't know the answers to any of your questions but I understand where you are coming from and feel the need to vent as well. 

Message 15 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Thanks pookie for your thoughtful understanding of my outrage.

Message 16 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

In the automobile industry when a design defect that threatens the wellbeing of a customer is discovered, the offending company issues a recall and fixes the threat for free.

 

The proposed solution is unworkable on  my system Now that it is confirmed to be real and not a scam as I was misinformed by Netgears's poor excuse for a competent Tech Support Staff.

 

It is amoral and a bad business practice that I should now have to pay Netgear $50 to get help in fixing Netgear's critical design flaw.

 

It shocks the conscience.

 

 

 

Pardon my emotional  outrage.

 

NB: Sent via an unsecured wi-fi network.

Message 17 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Thanks for your reply 🙂

 

But, the vulnerability notice includes a specific fix that is unworkable on my PC and GUI. Yes, it says it will be fixed in an upcoming firmware update. But until then what?

Message 18 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Are there any reports of anyone anywhere being hit by this threat?

 

Could it be one of those theoretical issues that will affect you only if you are attacked by someone wearing a tin-foil hat operating a quantum computer?

Message 19 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

I have had my post that I referred to on another forum deleted so as to prevent the possibility of someone's failing to act on the basis of Netgear's Uninformed Tech Support's Misinformation.

Message 20 of 49
TheEther
Guru

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Netgear's customer support policy leaves a lot to be desired, but on the issue of taking two months to inform customers about this vulnerability, it is not necessarily unreasonable.

What!?! How can that be? When it comes to a security vulnerability, it's counter productive to make a public announcement until one is sure that the vulnerability is real and, ideally, one has a fix available. The last thing you want to do is tell every hacker in the world that you have an unpatched flaw with no fix in sight.

Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!

In the security industry, it's common for white hat hackers to quietly work with companies to fix vulnerabilities. This process takes time. White hats will often prescribe a certain amount of time before they publicize a bug. This is done to incentivize a company to not drag its feet. It's possible that Netgear took too long, or perhaps the news simply leaked out and that were forced to make a public statement.

Do you have a right to be frustrated? Sure. But hopefully you can see the other side of the coin.

This particular bug is similar to other bugs in that it requires a hacker to already have inside access to your network in order to attack your router. If a hacker has access to your network, you have already lost the war. Who cares about the battle over your router?  Actually, you should care, but I hope you get my point.

For this reason, I've been advocating in other threads to not enable password recovery. I do not represent Netgear and this advice is my own. Use it at your own risk.

Message 21 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability


@TheEther wrote:

Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!



 

Even when they do happen, recalls in this sector are phased. They don't call up all cars immediately.

 

The urgency depends on the severity of the issue. Something that has minimal safety implications can wait.

 

Likewise with IT stuff. If a bug means that planes could fall out of the sky, there is a rush to fix it. If it just means a few sleepless nights for the terminally paranoid, what's the hurry?

 

 

Message 22 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

Hello ThEther 🙂

 

I agree that a company needs time, perhaps several months to investigate the cause and extent of a vulnerability or security breach before notifying affected customers.

 

BUT that is not what happened here. The Security Notice on the Netgear Website was posted in early May (This morning that page was taken down with a notation that it may be in the process of being modified.) If you look througth the comments you will see that many rerceived the email in early to late May. Some received it in early June and I received it yesterday.

 

So while parts of your comment are toally valid, they are totally inapplicable to my complaint.

 

Respectfully,

 

hawkeye

Message 23 of 49
hawki
Apprentice

Re: Web GUI Password Recovery and Exposure Security Vulnerability

michaelkenward:

 

My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."

 

I was not using the auto recall analogy as a standard for the length of time from discovery of a defect to customer notification. I was using it as a comparable case of manufacurer cost responsibility for a defect. I am highly security aware and have a triple layered security set up and use two on demand second opinion security scanners. I keep current on security and internet privacy news on an hourly basis, I am not aware of Netgear having issued a press release on this vulnerablity as other security and hardware companies do. The way Netgear handled this Vulnerabilty is Shameful: Unaware Tech Support giving out potentially disasterous misinformation; email Notification to me two months after it was posted in The Security Advisory Section; a fix that myself and others, as reported on this forum, can not make and a totally non-responsive answer to a filed emailed support ticket.

 

I did submit a case ticket by email that is limited to 150 characters. I stated my problem to be that I had no "enable PW Recovery" box on my Change PW Page to enable PW Recovery,the suggested security fix"

 

I received response similar to the following. It was totally unresponsive to me question.. "To change your password go to the change PW page, enter your new PW,confirm the new PW, click OK,close GUI."  NADA about how to find the "enable PW Recovery box."

 

Netgear's approach in its handling of this matter is an inexusable disgrace.

 

hawkeye

Message 24 of 49

Re: Web GUI Password Recovery and Exposure Security Vulnerability


@hawki wrote:

michaelkenward:

 

My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."


 

Some IT businesses offer "support" that is so bad that user-to-user forums are a better option.

 

Perhaps you could have tried asking your question here before giving money to Netgear.

 

 

Message 25 of 49
Top Contributors
Discussion stats
  • 48 replies
  • 7620 views
  • 13 kudos
  • 10 in conversation
Announcements

Orbi WiFi 7