NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND An exploit leveraging this vulnerability has been publicly disclosed. Impact By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. Solution The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround. Discontinue use Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available. --------------------------- Can someone from NetGear address this issue? I am running one level behind on my firmware, because I liked the fact that my router could double as my ARLO base station. However, reading this warning from CERT is causing me to be concerned. This router was not cheap, and I have had it for less than a year. If I have to get rid of it, becaue the issue cannot be resolved, then I would like some kind of compensation or trade in value. Regards.
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
233 Replies
- Count me in. Just bought this in July, and all Netgear can say is "uh, we know you spent $200 in this, but you shouldn't use it anymore"?
I hope this changes soonSure, I could do something like that, but I would suspect that puts me out of support for this router. Not to mention I am one level behind because I don't want to run my arlo base station, my router manages the cameras. Really wish they would keep that going with newer builds. I am hoping that NetGear can add a comment here, saying they are at least aware and working on a fix. I'd rather know that they are going to do something, before putting a different os on the router. But thanks for that link. Question, did you attempt to load that on your router? Are you running that build now?
This might be interesting:
Re: Netgear routers found to have critical vulnera... - NETGEAR Communities
Thank you all for your responses. Here's my specific complaints about the Netgear instructions for the security issue:
I clicked on the link for "instructions" that came in the email alerting me to the problem. The first bit of advice was to connect your computer to the router via ethernet cable instead of using a wireless connection. There is no mention of what to do if, like millions of users, your laptop has no ethernet port.
The first numbered bullet advises: "Write down all the settings which you changed from the default values since you may need to re-enter them manually." I have no idea what "default values" are so I went to the next step.
Step number three asks you to log-in to the router. It asks for a user name and password. Up to that point I had never been to the Netgear site and therefore had no user name or passwrod. One of you helpful told me what to use, but why isn't that info on the log-in page. Or more importantly, why doesn't Netgear just log you in since EVERYONE is "admin" and the password is "password"?
Finally, in the "important tips", it advises you that "The upgrade process is completed when the on-screen progress bar completes. If power light LED turns amber and blinking, POWER CYCLE THE ROUTER (caps added) to complete the upgrade." Power cycle the router? What does that even mean? How do you do it?
Perhaps Netgear should have Community members review their proposed "instructions" before they release them to the general public.
Thanks to all of you who responded so quickly.
Jon (JMNB)
So what is the timeline to a patch? After spending over 200 bucks for a router I expect that the vendor is going to support their product. Fair warning, I will be very vocal about my dissatisfaction if I have to go out and buy a new router. Considering I have an extensive career in Information Security, my voice may carry some weight... The current lack of response is disconcerting to say the least considering that there is an exploit available in the wild.
I would recommend twitter, to voice concern (netgearhelp I think it the tag). We could also post to review sites (amazon.com, newegg, and even netgears site). Use social media, like FB to post reviews or rank the item. This might get their attention. This bug has been known about since Friday, and Netgear has yet to respond. Unacceptable.
I have the Nighthawk X6 R8000 router and tried the exploit (using the "ls" command). The router returned a directory listing. I was not logged into the router at the time, and the router requires authentication normally to log in. So, it seems that the current software on the R8000 is also vulnerable !!!!!
I hate to have to purchase a different router, but don't see how I can continue to use this one. Hope a new software release will be available soon.
I tested the exploit (to the best of my ability) and found that it does not seem to work with firmware version V1.0.3.68_1.1.31 . The string causes the router to request the admin login and then fails to the "Unauthorized Access" screen. The command after the semicolon does not appear to be executed. Unfortunately, I could only test from my local network, so I cannot confirm whether this is a "universal fix".
Although this is an older version of the firmware, it may be a work around while NetGear works up a patch. I believe that some of the older versions are archived online.
Regardless, be safe.
Coherent_Lite wrote:I believe that some of the older versions are archived online.
You can find about a dozen firmware versions here:
R8000 | Product | Support | NETGEAR
I tried using a supposed exploit from HERE and entered for the URL http://192.168.1.1/cgi-bin/;ls and all I see is partial HTML display?
Entering http://192.168.1.1/cgi-bin/;COMMAND did the same?
Am I missing something here?
My router is at 192.168.1.254. First, I checked by going to the router web GUI and received the authentication page, since I was not logged in. I wanted to make sure my login was not cached.
Then, I did exactly what you did. I copied your link with the "ls" in the line, substituting .254 for .1.
Here is what I got back -- and yes, it is a partial HTML display, but it is a valid and proper response to the ls command -- it gave a directory listing:
bin dev etc lib media mnt opt proc sbin share sys tmp usr var www
I was using a Chrome browser on a Mac, but that should not matter. Bottom line - at least for me is that it ran the ls command.
I am going to try to go back to a previous SW release and hope it works without the flaw. Otherwise, I will have to try Tomato or DD-WRT, and I really do not want to have to do that and reset everything.
- GinaGerson
The procedure kills the httpd, but it leaves telnetd running. Well, I guess it's better than a wide open web interface. According to https://mobile.slashdot.org/story/16/12/11/1832234/vulnerability-prompts-warning-stop-using-netgear-wifi-routers 'Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."' Netgear needs to fix the vunerability and explain why it has not done so in the last four months.
Is there a way to tell if a router has been breached by a hacker?
- Does this affect the r8500?
RC0101-2 wrote:
Does this affect the r8500?You would have to test the sample code:
Step 1 (optional): verify you’re vulnerable
Open your browser and visit the following address:
http://[router-address]/cgi-bin/;uname$IFS-a
(For most people, this URL will work: http://www.routerlogin.net/cgi-bin/;uname$IFS-a)If a web page appears (which is not an error): you’re vulnerable. In my case, the page contains a text that starts with: Linux R7000 2.6.36.4brcmarm+ (...).
Link to blog post for the rest: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Thank you...It looks like I am affected. However, I follow the steps to kill the vulnerbility but it doesn't seem to work. After I follow the steps I recheck and I am still getting "Linixu r8500..."
Any ideas? I have tried the router login and also my routers IP address....Maybe it's just time I move on from Netgear...
*edit - I believe I got it working. I get a page cannot be displated when testing. Still my confidence in Netgear is at an all time low and am thinking I will go with a different company.
I flashed the beta firmware on my R6400 in the early hours and after some basic testing it seems the issue has been resolved.
I tried 2 different tests, all done in Edge and Firefox.
-Running the reboot command directly: Was prompted for credentials
-Running the reboot command in a tab while another had routerlogin.net logged in: Was prompted for credentials once more
The fact that a fix had come four months after being reported is still ridiculous, but at least I can now remain on stock firmware without jumping to open source solutions.
SeaSalt, I gave up on actual support from netgear and flashed my device with DD-WRT. At least I get actual support from the OpenSource community... You would figure that a company who actually makes money on a product would take support of their product more seriously than someone doing the job in their spare time for free... but apparently that is not the case. I owned the device less than a year and after spending a decent amount of money on it I had to wash my hands of the vendor... talk about disappointing!
climb74 I agree, I'm incredibly dissapointed with my purchase. There's a lack of support from Netgear and that is unnerving for the price point of these products.
I tried out the open-source solutions, and though the featureset satisfied me, the throughput for wireless and wired was much lower compared to Netgear's stock firmware. I can't jump ship just yet, at least until the open-source community improves the firmware.
Thanks slot Netgear, I like knowing my router just hit its expiration date from every tech news outlet. Seeing recommendations that I shouldn't use the router from security officials is **bleep**ty when there was an opportunity to fix it
ScottKitty wrote:
Thanks slot Netgear, I like knowing my router just hit its expiration date from every tech news outlet.
There is beta firmware with a fix available for your R7000 with production firmware on the way. Your router has not hit an "expiration date".
- alokeprasad I think if you keep your browsing contained you should be fine. Be wary of ads, however, and keep an eye on devices that comment to a lot of things over the internet.
Web pages aren't just simple HTML pages anymore. - While I am thankful for the beta, any clue as to when a final version will be out? I'm never comfortable running beta firmware on a router for too long of a time.
Putting an ETA on things like that is always difficult as it's difficult to predict how long QA testing will take. If both no regressions (issues not present in the previous firmware release) are found and included fixes are verified readily then it will be quicker than if we decide that there is more changes needed.
Naturally we are as keen as you for this process to complete as quickly as possible and we will update the advisory when the final version is available.
Thanks for your patience.
