Discussion stats
Announcements

Top Contributors
Reply
Highlighted
Apprentice

NETGEAR Routers and CVE-2016-582384 security vulnerability

I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND An exploit leveraging this vulnerability has been publicly disclosed. Impact By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. Solution The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround. Discontinue use Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available. --------------------------- Can someone from NetGear address this issue? I am running one level behind on my firmware, because I liked the fact that my router could double as my ARLO base station. However, reading this warning from CERT is causing me to be concerned. This router was not cheap, and I have had it for less than a year. If I have to get rid of it, becaue the issue cannot be resolved, then I would like some kind of compensation or trade in value. Regards.

//shutdown -h now
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 234

Accepted Solutions
Highlighted
NETGEAR Employee Retired

Re: Two leading Netgear routers are vulnerable to a severe security flaw


NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

 

We now have beta firmware containing fixes for some affected models.

We're working hard on fixes for the other affected models and will update the security ticket above soon.

 

**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****

 

To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements. 

 

Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

 

NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page.  We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues.  When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.

 

Security Advisory for VU 582384 knowledgebase article.

NETGEAR Product Security Advisory page.

 

 

View solution in original post

Message 39 of 234

All Replies
Highlighted
Initiate

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Count me in. Just bought this in July, and all Netgear can say is "uh, we know you spent $200 in this, but you shouldn't use it anymore"?

I hope this changes soon
Message 2 of 234
Highlighted
Master

Re: Two leading Netgear routers are vulnerable to a severe security flaw

For R7000, there are options... Go here and load this firmware. Easy instructions on top page. Problem solved..

Message 3 of 234
Highlighted
Apprentice

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Sure, I could do something like that, but I would suspect that puts me out of support for this router.  Not to mention I am one level behind because I don't want to run my arlo base station, my router manages the cameras.  Really wish they would keep that going with newer builds.  I am hoping that NetGear can add a comment here, saying they are at least aware and working on a fix.  I'd rather know that they are going to do something, before putting a different os on the router.  But thanks for that link. Question, did you attempt to load that on your router?  Are you running that build now?  

//shutdown -h now
Message 4 of 234
Highlighted
Retired_Member
Not applicable

Re: Two leading Netgear routers are vulnerable to a severe security flaw

When you bought the r7000 did it advertise the Arlo option?

 

Also I used the suggested FW without a problem.

Message 5 of 234
Highlighted
Master

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@3v3ntH0riz0n wrote:

Sure, I could do something like that, but I would suspect that puts me out of support for this router.  Not to mention I am one level behind because I don't want to run my arlo base station, my router manages the cameras.  Really wish they would keep that going with newer builds.  I am hoping that NetGear can add a comment here, saying they are at least aware and working on a fix.  I'd rather know that they are going to do something, before putting a different os on the router.  But thanks for that link. Question, did you attempt to load that on your router?  Are you running that build now?  

 

I have 3 R7000's loaded with I believe 380_6.2.1. Used various version of Auswrt-Merlin firmware for a couple of years, with no issues.  All 3 R7000's are powered off and up for sale now. I am running Unifi WAP's and a bunch of Ubiquity devices (router and switches). Grew tired of the home router consumer niche..


 

Message 6 of 234
Highlighted
Apprentice

Re: Two leading Netgear routers are vulnerable to a severe security flaw

No it wasn't.  It was a nice suprise with a firmware update, that they removed in the build shortly after.  So you flashed out of your netgear OS on your router, using that link provided?  

//shutdown -h now
Message 7 of 234
Highlighted
Retired_Member
Not applicable

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Yes! Several times. I wish it was available for the R8500

Message 8 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw

This might be interesting:

 

Re: Netgear routers found to have critical vulnera... - NETGEAR Communities

 

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 9 of 234
Highlighted
Guide

Re: Two leading Netgear routers are vulnerable to a severe security flaw

I have the Nighthawk X6 R8000 router and tried the exploit (using the "ls" command).  The router returned a directory listing. I was not logged into the router at the time, and the router requires authentication normally to log in.  So, it seems that the current software on the R8000 is also vulnerable !!!!!

I hate to have to purchase a different router, but don't see how I can continue to use this one.  Hope a new software release will be available soon.

 

Message 10 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw

I tested the exploit (to the best of my ability) and found that it does not seem to work with firmware version V1.0.3.68_1.1.31 .  The string causes the router to request the admin login and then fails to the "Unauthorized Access" screen.  The command after the semicolon does not appear to be executed.  Unfortunately, I could only test from my local network, so I cannot confirm whether this is a "universal fix".

 

Although this is an older version of the firmware, it may be a work around while NetGear works up a patch.  I believe that some of the older versions are archived online.

 

Regardless, be safe.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 11 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw


@Coherent_Lite wrote:

I believe that some of the older versions are archived online.

 


 

You can find about a dozen firmware versions here:

 

R8000 | Product | Support | NETGEAR

 

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 12 of 234
Highlighted
Master

Re: Two leading Netgear routers are vulnerable to a severe security flaw

I tried using a supposed exploit from HERE and entered for the URL http://192.168.1.1/cgi-bin/;ls and all I see is partial HTML display?

 

Entering http://192.168.1.1/cgi-bin/;COMMAND did the same?

 

Am I missing something here?

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 13 of 234
Highlighted
Guide

Re: Two leading Netgear routers are vulnerable to a severe security flaw

My router is at 192.168.1.254.  First, I checked by going to the router web GUI and received the authentication page, since I was not logged in. I wanted to make sure my login was not cached.

Then, I did exactly what you did. I copied your link with the "ls" in the line, substituting .254 for .1.

Here is what I got back -- and yes, it is a partial HTML display, but it is a valid and proper response to the ls command -- it gave a directory listing:

bin
dev
etc
lib
media
mnt
opt
proc
sbin
share
sys
tmp
usr
var
www



I was using a Chrome browser on a Mac, but that should not matter. Bottom line - at least for me is that it ran the ls command.  

I am going to try to go back to a previous SW release and hope it works without the flaw.  Otherwise, I will have to try Tomato or DD-WRT, and I really do not want to have to do that and reset everything.

 

Message 14 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw

I have been playing with the proof-of-concept strings a little bit more.  First, I note that the exploit-db website has two different versions: one with a "cgi-bin" directory and the other without.  I tried both with my R7000 running the older firmware (I never upgraded due to issues with the 1.06(?) firmware).  The results are as follows:

 

Without the "cgi-bin" directory designation, trying both the ls command and the telnet command, the router requests the admin login and then fails to the "Unauthorized access" screen.  The commands do not appear to be executed.

 

With the "cgi-bin" directory included, the router returns a "Resource Not Found" error, but neither command was executed.  Perhaps a more experienced user might be able to explain this, but it seems to me like the request is being interpreted by the router and then failed due to the directory not being found.  If so, then is it possible that a re-crafted string might work on the older firmware?

 

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 15 of 234
Highlighted
Guide

Re: Two leading Netgear routers are vulnerable to a severe security flaw

SUCCESS! ! !

At least for the R8000 router.

I downgraded to V1.0.2.46_1.0.97, which is the most recent non-current version.  The downgrade with flawlessly -- no problems at all. I did not loose any settings, so all seems to be working.  I tried the exploit and it did not work.  Like others have reported (after making sure I was logged out of the router), it returned a page saying I was not authorized.

 

I hope Netgear will provide a new software update for the router. I do not like running an old version -- I feel like there were probably some problems that were fixed in the newer version, but the newer version has an extremely dangerous flaw.

 

Someone mentioned connecting via the internet (WAN) side vs the LAN or home side.  The PROBLEM is, that your web browser AT HOME, within your LAN could go to a web page, even on a well known site that has a link on a picture (or like within an ad) that has that command embeded.  You do not have to type it in to the top line. It can be an embeded link, and it will run the link and affect the router.


But -- good for now -- or at least, I feel safer.

 

Message 16 of 234
Highlighted
Guide

Re: Two leading Netgear routers are vulnerable to a severe security flaw

WOOPSEY -- I was wrong.

It seemed like the fix (downgrading) worked. I even tried a couple of time. But after closing the web browser and going back to try again (I was going to try with and without the cgi-bin in the line -- it FAILED. That is, it returned the directory listing.  I checked, and the router is reporting the older software, so for some reason, it does not work either, and is subject to the flaw.  I will be going back to the current software, but still looking for a fix.  It looks like a basic problem.  

So, just to confirm, with the older software V1.0.2.46_1.0.97, I still have the problem.

 

Message 17 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Drat.  Sorry to hear it.  I tried doing what you described with my R7000 and it seems to still be "safe".  I will treat it as a "suspect work-around".

 

Thanks for the update.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 18 of 234
Highlighted
Master

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Yes, I did get that at the bottom,

 

=========

bin
dev
etc
lib
media
mnt
opt
proc
sbin
share
sys
tmp
usr
var
www

However there was upteen lines above it with partial HTML:

 

alue)
    {

        var button;
        
        button=document.getElementsByName('buttonHit');
        button[0].value=btn.name;

        button=document.getElementsByName('buttonValue');
        button[0].value=value;
        return true;
    }

  function clickButton(message)
  {
      alert(message);
  }
  
  function mainOnload()
  {
  	
  }



  function changeCursorPointer()
  {
  	document.body.style.cursor='pointer';
  }

  function changeCursorDefault()
  {
  	document.body.style.cursor='default';
  }


  function iframeResize(iframe){
alert("Enter iframeResize "+iframe);
              if(iframe && !window.opera){
              	
      	          if(iframe.contentDocument && iframe.contentDocument.body.offsetHeight){      	          		
alert('before '+iframe.height+" document "+iframe.Document.body.offsetHeight);
                      iframe.height=iframe.contentDocument.body.offsetHeight+80;  
alert('after '+iframe.height);
                  }
        	        else if(iframe.Document && iframe.Document.body.scrollHeight){
alert('before '+iframe.style.height+" document "+iframe.Document.body.scrollHeight);

      	              iframe.style.height=iframe.Document.body.scrollHeight;
alert('after '+iframe.style.height); 

Literally hundreds of lines like that.

 

Although the end is the expected output does that really mean 'something' could be done to/on the router?

Message 19 of 234
Highlighted
Guide

Re: Two leading Netgear routers are vulnerable to a severe security flaw

I would assume - yes.  You asked for a directory listing, and it gave it to you. The report is, that telnet worked also.  I could not think of an easy command to use that would prove a security breach without doing harm.  I have gone back and forth with the old and new software a couple of times now, and have made sure that browser cache was cleared each time, and that I was not logged into the router.  And, it FAILED every time.  That is, even with the older software, the security problem still existed. I got a directory listing with the "ls" command issued.

I will have to try Tomato this afternoon. Or go buy (another) new, expensive router.

 

Message 20 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw

TEmporary solution can be found here.

 

tl;dr – a quick overview

Here are the three steps (explanation below):

  1. Open a web browser and visit the following URL:
    http://[router-address]/cgi-bin/;telnetd$IFS-p$IFS'12346'
    (it’ll look like it’s loading a page, just leave the window open and continue with the next step)
  2. Type the following in a console / terminal window / command prompt:
    telnet [router-address] 12346
    You will (should) now have BusyBox root access to your router.
  3. Type in the following to terminate the router’s web server process:
    killall httpd 

     

    done!

Message 21 of 234
Highlighted

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Thank you for shaing this. I read the article.  Accordng to that documentation the fix is only good until you reboot the router. 

Also, you are also disabling your ability to log in to the router, until you reboot it. 

 

I wen to my public IP address using this URL and I can see that I am seeing a lot of Javascript. Wow, that is really bad.

Message 22 of 234
Highlighted
Apprentice

Re: Two leading Netgear routers are vulnerable to a severe security flaw

@GinaGerson
The procedure kills the httpd, but it leaves telnetd running. Well, I guess it's better than a wide open web interface.
Message 23 of 234
Highlighted
Apprentice

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Thanks for this.  I killed the web service on the router.  Is Netgear aware or acknowledging this?  I saw another blog post today talking about this exploit.

//shutdown -h now
Message 24 of 234
Highlighted
Virtuoso

Re: Two leading Netgear routers are vulnerable to a severe security flaw

Is X-10 R9000 also affected? Can someone please check?

 

It is a new product, so ZDNet might not have tested it.

Message 25 of 234