Orbi WiFi 7 RBE973
Reply

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

sixteen59
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

I'm wondering how it is that there can be such differences in the versions of dnsmasq in various models firmware. I have an R6400 (v1) which uses dnsmasq version 2.15 (released in 2004) in it's latest and it appears in all firmware ever released for this model. How does a router model released in 2015 get firmware compiled using such incredibily outdated source? Why do I see older models with newer versions? WTF is the dev process here? There are older routers listed that use far newer versions but I'm not sure any of Netgears use anything post 2.78 yet. In fact it seems that Netgear is actively ignoring this verified and published CVE from over half a year ago. There's another thread where a mod (who I just called out in a personal message) closed right away claiming it to be a false positive. There are other routers of other brands where ludicrous responses are given on this CVE as well. Honestly I don't care at this point if it is a false (it's not), I'm fed up with the handling and dev of firmware in general. Digging so deep into this has really exposed to me the ludicrous manner in which Netgear devs compile firmware. All open sources like dnsmasq should be based on the latest (stable) versions. I'm getting pretty PO'd about this whole thing. 20+ years a Netgear relationship as a customer and before that Bay. Maybe the real solution here is I go to dd-wrt on this particular unit. I'm surely at this point not going to be purchasing another or in my consultant capacity pushing any Netgear hardware, period.

Message 26 of 43
sixteen59
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

This is Netgears job, not those they sell to.

Message 27 of 43
Squair
Guide

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

As of this response from tier2 support on June 30:

I got an update from our Engineering team and they have confirmed that the R6900P router is not affected by the DNSMasq Vulnerability. 

It is easy to make the problem go away by saying there is no problem. My dnsmasq is 2.75 - Avast Vulnerability Catalogue ID CVE-2017-14491 says my 6 month old Netgear router is vulnerable. I agree that it should be a priority to use the latest updates (dnsmasq 2.78 or later) to eliminate the problem or concern.

Model: R6900P|Nighthawk Smart WiFi Router with MU-MIMO
Message 28 of 43
RAJackson097
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

My R7000 AC1900 still has DNSmasq vs 2.15.  Hoping that they get this updated soon.  Really bad for business to no perform updates to customer systems for a vulnerability that is over a year and a half old.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 29 of 43
sixteen59
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

Hoping isn't going to make it happen. We need to be on them about this nonsense. I was checking over the source for my R6400 which indicates a team "kathy", so I don't know if a "kathy" is responsible here or if it is indeed a team with kathy as leader. Whatever the case, as manufacturers of this hardware they are beholden to provide fixes to security issues. Compiling firmware from source that is 14 years old is negligent.

Message 30 of 43
BRWhitecotton
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

I am at FW version V1.0.9.32_10.2.34 

and I get

"dnsmasq-2.15-OpenDNS-1"

returned from a Windows 10 powershell using nslookup command.

Looked this up on CVE Details and this version of dnsmasq is circa 2005.  WTH?

Come on now!

 

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 31 of 43
psiberfunk
Tutor

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

This is embarassing,  I see my router is vulnerable too at version 2.15 (R7000).  Netgear, what the heck are you guys doing asleep at the wheel here ?  I regularly recommend netgear routers to my clients, but i'm going to be stopping until you fix this garbage.  It's been MONTHS.  Do the right thing and fix this.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 32 of 43
BRWhitecotton
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

I am finding it odd that dnsMasq 2.79 is the latest revision out there in open source land and we still have 2.15 in use in our routers.  THAT is a lot of proverbial water under the old revision bridge.  Since dnsMasq is open source, there should be no reason we cannot have the latest except possibly that since Netgear is a for-profit company, they are unable to use the cutting edge releases, instead, perhaps they are forced to use old code, old buggy vulnerable code in their products?!   Spit-balling here but this is the only scenario that makes sense (given no other information at all) other than Netgear having say, only 3 engineers tackling 27,518 bugs across their plethora of products.  Is that the case? Anyway, I like my Netgear products. I just want to see this fixed ASAP. Please Netgear engineers, fix this. Thanks!

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 33 of 43
Squair
Guide

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

Blanca,
I followed your link and searched for "avast" and no results. I see your responses about where to report security isses. We report issues based on our model numbers. With so many reports of the avast dnsmasq problem, why do you cause customers the frustration of re-posting in another forum?

If the vulnerability will not be addressed, please make a NG statement to the effect. Is it a chip issue being incompatible with a firmware solution? Let us in on the joke, so to speak.
Model: R6900|Nighthawk AC1900 Smart WiFi Router
Message 34 of 43
Cafferata
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

 

Its still in the firmware ? why..?

Last login: Sat Jul 14 11:08:26 on console
iMac-van-ED:~ Ed$ nslookup -type=txt -class=chaos version.bind 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53

version.bind text = "dnsmasq-2.39"

Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 35 of 43
htroudi
Apprentice

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

Exactely.....Netgear WTF!!!! TAKE CARE OF THIS NOW
Message 36 of 43
BRWhitecotton
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

I am happy to report that Netgear has fixed this with the latest update applied to my router.  I updated about 5 days ago (regular update push from Netgear, not by manual download method) to version V1.0.9.34_10.2.36 and now Avast does not complain about dnsmasq and nslookup reports  "dnsmasq-2.78".

 

THANK YOU Netgear for taking care of this!!! I am sure you are tackling these issues as quickly as resources allow! Hang in there folks, help is on the way!!!

Cheers,

Brian

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 37 of 43
htroudi
Apprentice

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

Can anyone tell if this is fixed on Netgear R8000P?

Model: R8000P|Nighthawk X6S—AC4000 Tri-Band WiFi Router
Message 38 of 43
htroudi
Apprentice

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

The command nslookup -type=txt -class=chaos version.bind 192.168.1.1 gives me:

 

version.bind text = "dnsmasq-2.75"

 

So am I safe?

Model: R8000P|Nighthawk X6S—AC4000 Tri-Band WiFi Router
Message 39 of 43
schumaku
Guru

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

For the subject CVE-2017-14491 plus a few more items to address should be 2.78 or higher. Check http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

Message 40 of 43
htroudi
Apprentice

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

So am I sade then??
Model: R8000P|Nighthawk X6S—AC4000 Tri-Band WiFi Router
Message 41 of 43
sixteen59
Aspirant

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

Safe? No. I've repeatedly challenged support who tells us that the vulnerability doesn't exist even though they're using (inexplicably) dnsmasq versions back to 14 years old and most of them are pre-2.76. They will tell me the engineers say it isn't a concern. I say then the engineers can explain HOW it's not a concern when using versions of dnsmasq that are very obviously vulnerable version. I have a R6400 as well as a number of customers that do as well, it's vulnerable. I have customers with R7000s that are vulnerable. I have customers with R7800s that are vulnerable. And on and on. I'm not sure there's a product that's not vulnerable. Netgear doesn't care. I seriously don't understand the difficult here. Just bring on new firmware releases for every product that gets dnsmasq up to date v2.78. Bottom line is they don't give a damn.

Message 42 of 43
htroudi
Apprentice

Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi ...

WTF!!!!!!!!!!!

Netgear come on. Why are you doing this against us customers.

You used go be a respectable network product manufacturer.

What the hell happened??

Me among others truly want to know why you don't take care of such a embarrassing security issue.

Hear me : you WILL loose customers and money if you as a company won't do radical changes.
Message 43 of 43
Top Contributors
Discussion stats
  • 42 replies
  • 32485 views
  • 28 kudos
  • 14 in conversation
Announcements

Orbi WiFi 7