Orbi WiFi 7 RBE973
Reply

NETGEAR Routers and CVE-2016-582384 security vulnerability

hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Seriously? Obviously you are not getting the message...

 

Any manufacturer is subject to have have vulnerabilities on they're products, no exceptions, but when you see a company like Netgear using critical software components with almost 12 years old (OpenSSL 0.9.7f 22 March 2005) with legions of well known security flaws (CVE's) at public realm on all their products including the latest ones anyone already can see what kind of security concerns exist from their part, and still taking several months to address them...

 

It shouldn't be the end-user / client reporting this issues, don't they have eyes to see it after 12 years? Or maybe they development team doesn't know about it? Don't they see the https://cve.mitre.org/ or other online news? That's quite hillarious.

 

I'm not targetting expecifically Netgear, there's also other similar situations happening on manufacturers like D-Link, TP-Link, etc.

I'm simply reporting a real fact which should be shared and known to the general public before deciding to purchase their products, these kind of critical reporting is important and only makes company's better not worse, unfortunatelly not everyone can understand it that way.

 

I suggest you to keep supporting Netgear that way since you are quite happy with their products / support, they really apreciate it.

Message 201 of 234

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@IrvSp wrote:

Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?


 

In this case, Netgear has admitted that it took the eye off the ball.

 

It did receive an approach from someone who first spotted the vulnerability, but the approach seems to have been a one off email to an address at Netgear that may have ended up in the spam bin.

 

When the person who discovered the flaw made it public, it was all hands to the pumps at Netgear, with beta releases of new firmware pushed out widely within days.

 

There then followed emailings to people who had registered their hardware

 

There are blow by blow accounts of this sequence on this board.

 

Some people turned up here weeks, sometimes months, after the flap complaining – not always in language that it is easy to understand – about crimes against humanity, only to be pointed to the solutions.

 

 

 

 

 

 

Message 202 of 234
Unfiltered1
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

What's up with the email notification system?  I'm getting bunches of email notices that a reply has been posted and they appear to just be duplicates.  Last batch contained 17 notices and before that there was another long string.  Anyone else getting a flood of emails?

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 203 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@Unfiltered1 wrote:

What's up with the email notification system?  I'm getting bunches of email notices that a reply has been posted and they appear to just be duplicates.  Last batch contained 17 notices and before that there was another long string.  Anyone else getting a flood of emails?


That usually happens when the writer either presses enter a few time or makes 'minor' editing changes, corrections or adding something after it was posted.

 

I'm only getting it for 'hggomes' posts though? Only got one for you for instance? Have not seen this in any other instances other than when ones are edited?

 

The last 2 I got from him via NG was 25 minutes apart and it was edited basically to add a link.

Message 204 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Probably the result of "Edit Reply" post, if so my fault for editing it and Netgear forum software for working that way.

Message 205 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@michaelkenward wrote:

@IrvSp wrote:

Well, do you know when they first were alerted to the problems? Do you know how long it took them to take action? I don't know those dates?


 

In this case, Netgear has admitted that it took the eye off the ball.

 

It did receive an approach from someone who first spotted the vulnerability, but the approach seems to have been a one off email to an address at Netgear that may have ended up in the spam bin.

 

When the person who discovered the flaw made it public, it was all hands to the pumps at Netgear, with beta releases of new firmware pushed out widely within days.

 

There then followed emailings to people who had registered their hardware

 

There are blow by blow accounts of this sequence on this board.

 

Some people turned up here weeks, sometimes months, after the flap complaining – not always in language that it is easy to understand – about crimes against humanity, only to be pointed to the solutions.

 


Yes, and in this case it seems the reports on other site from 1/30 and later seems to have triggered the posting. That or the poster was using those 'reports' as if it just happened.

 

It just seems as if the person claiming NG is not doing its job refuses to accept they did once they had the information?

 

I don't support everything NG did/does. I am NOT a 'fanboy' of them. I use thier products and I'm happy with it. I've had LinkSys, ASUS, and even TP-Link as well. I'm not unhappy with them either, just I have NG now. I purchase on need and capability, not brand.

 

Message 206 of 234

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@IrvSp wrote:

 

It just seems as if the person claiming NG is not doing its job refuses to accept they did once they had the information?

 

 

He, I assume, is not alone, there have been other latecomers to the bandwagon. But most of them give up when they discover what has gone on.

 

One problem has been the number of people who turned up asking about hardware that was not on the vulnerability list. (There is a simple test you can use to see if you are vulnerable.)

 

Then there was the "false positive", the D7000 I think, that was on the original list, only to prove immune to the exploit.

 

 

Message 207 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

I must ask, I'm interested on getting several Netgear products GPL code.

 
R7000
R7500
R8000
R8500
etc...
 
What happened to the Netgear GPL repository files available back then?
 
Was it replaced by this? 
 
"If you would like a copy of the GPL source code contained in this product shipped to you on a USB Flash Drive for a charge of $20, which is no more than the cost of preparing and shipping the USB Flash Drive to you, please contact opensourcesw@netgear.com
 
?!!?!?!?!?!!?
 
Even if you send an email to this address it will be refused, reporting that your email address it's not accepted / allowed.
 
I'm not really interested to buy it, but getting it / download it for free.
 
 
The old link is not available anymore, also no success finding it after a quick search.
 
Message 208 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.

 

The real problem you'll face is finding specific f/w versions... they might not be available, but over there 3rd party source code is.

Message 209 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

I'm not really interested on other projects GPLs, but on the original/native Netgear GPL code, which was always shared on their product/GPL page.

Message 210 of 234
StephenB
Guru

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@IrvSp wrote:

Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.

 


I don't think you can get the GPL links for Netgear firmware there - at least I am only seeing dd-wrt and similar stuff.

 

There's a kb article which should contain the links the OP is asking for, but which is now blank.  ElaineM  is looking into it.

Message 211 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Let's wait for them to fix the problem/GPL page.

Message 212 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@StephenB wrote:

@IrvSp wrote:

Better off asking in https://www.myopenrouter.com/ as that is where Open Source is handled.

 


I don't think you can get the GPL links for Netgear firmware there - at least I am only seeing dd-wrt and similar stuff.

 

There's a kb article which should contain the links the OP is asking for, but which is now blank.  ElaineM  is looking into it.


Knew that, that is why I suggested that Hugo asks there. Obviously some of the developers might know where the GPL source code might be. I did find R7000's F/W source code with a Google search but it was V1.05, not of much value. That is at https://github.com/hajuuk/R7000, but just not I dug a little deeper on that page and there is a LINK to http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) and THAT IS WHERE all the version links are for many different devices. Just what he needs.

Message 213 of 234
StephenB
Guru

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@IrvSp wrote:
...there is a LINK to http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) and THAT IS WHERE all the version links are for many different devices. Just what he needs

Exactly so.  

 

Earlier in the day that displayed as a blank page.  I PM'd @ElaineM when I discovered that, and it looks like she was able to get it straightened out. 

Message 214 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Message 215 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Out of curiosity I have downloaded latest R7000 1.0.7.6 FW version and GPL (released on 15 DEC 16) to confirm the closed thread was really fixed / got OpenSSL updated and I got astonished on how https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnera... case was closed / fixed, it seems nothing at all changed on the FW regarding OpenSSL old versions:

 

R7000 Firmware Version 1.0.7.6 - Released on 15 December 2016


OpenSSL 0.9.7f [22 Mar 2005] (source code) - 11 years and 10 months.

Location:

/ap/gpl/openssl
/ap/gpl/transmission/openssl


OpenSSL 0.9.8e [23 Feb 2007] (source code) - 9 years and 11 months.

Location:

/ap/gpl/timemachine/openssl-0.9.8e/


OpenSSL 1.0.0g [18 Jan 2012] (binary file libcrypto.so.1.0.0) - 5 years.

Location:

/src/router/arm-uclibc/target/lib

 


For reference on OpenSSL vulnerabilities:

https://www.openssl.org/news/vulnerabilities.html

 

All OpenSSL versions / branches used by Netgear FWs are EOL now / deprecated / no support anymore, which seems not to be a problem to Netgear DEV team, this issue was considered fixed by them not sure based on what changes.

 

So once again this was initially reported on May 16 and still not fixed, almost 1 year now, this seems a lost case to me like many others...

 

 

IrvSp Does it ring a/any bell now?

Message 216 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

You had another THREAD on this and were told what parts of it were being used. See https://community.netgear.com/t5/General-WiFi-Routers/Netgear-routers-found-to-have-critical-vulnera... and use that one if you are unhappy with the results.

 

============

NETGEAR uses OpenSSL version 1.0.0 for all the router functions that require secure transportation  (such as remote https and OpenVPN), we only use OpenSSL 0.9x for “libcrypto” functions in the Time Machine (taking backup from Apple Macs to USB HDD connected to the router) software package not for transportation.

============

 

If you think that is wrong, reply back in THAT thread.

 

You were also directed to this, http://kb.netgear.com/000036386/CVE-2016-582384, as well and it says it is corrected.

 

I assume you do not agree, CALL SUPPORT...

Message 217 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

In case you haven't noticed that thread was closed, so I or anyone else is NOT able to reply to it, making your suggestion invalid.  🙂

 

Their reply on this issue is non-sense anyway, beside 1.0.0 also is being used 0.9.7 and 0.9.8 which are all EOL / Deprecated / Not supported anymore versions, so it doesn't really matter if it's 1.0.0 or 0.9.7/8. they are all non-secure versions FYI.

Message 218 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@hggomes wrote:

In case you haven't noticed that thread was closed, so I or anyone else is NOT able to reply to it, making your suggestion invalid.  🙂

 

Their reply on this issue is non-sense anyway, beside 1.0.0 also is being used 0.9.7 and 0.9.8 which are all EOL / Deprecated / Not supported anymore versions, so it doesn't really matter if it's 1.0.0 or 0.9.7/8. they are all non-secure versions FYI.


Didn't realize it was closed, so start a NEW one... don't hijack others.

 

Please put all you want to say before pressing the POST button. I read my email copy and I'm seeing many that appear close to the same from you. It is a waste of time reading them. Even then, as I reply to one you seem to be changing it too. PLEASE STOP posting like that.

 

EOL just means it will NOT be updated. One can STILL use it though. Did you know that XP and even Win95 is still in use? They I assume are using 3 different versions for different tasks, NONE of which exposes the firmware to an exploit it would seem according to NG. You have different proof, post it to them in a DIFFERENT thread please and STOP editing the ones you did post. I've seen 3 popups that you are replying to ones here as I enter this. Never see a new one though so it is an OLD one I've already read.

Message 219 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Unfortunatelly like I previously explained it's due to "Edit Reply" button use, so we should blame this forum software, it doesn't make too much sense to me a user not being able to edit the text.

 

I have really enjoyed your EOL explanation, maybe I'll give it a try on Windows 95, thank you. 🙂

Message 220 of 234
IrvSp
Master

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@hggomes wrote:

Unfortunatelly like I previously explained it's due to "Edit Reply" button use, so we should blame this forum software, it doesn't make too much sense to me a user not being able to edit the text.

 

I have really enjoyed your EOL explanation, maybe I'll give it a try on Windows 95, thank you. 🙂


Most people DO NOT NEED to edit their posts. They USE PREVIEW and read what would be posted and if they want to make a change switch back to RICH TEXT or HTML, make the changes and when DONE, then press POST. Try it some time, you might like it.

 

Yes, EOL doesn't mean it will not work... functions used do...

 

I'm done with you... now I know why that thread was probably closed...

Message 221 of 234
Unfiltered1
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

Hey Gomes!  How many times are you using the edit button?  I just opened my email program and there were 31 notices of replies to this thread.

Message 222 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

IrvSp:

 

You have described exactly what I did, it seems it didn't worked at all.

Same here, but you only need to read it to know why.

 

Unfiltered1:

 

Definitely not 31 times. 🙂

 

Message 223 of 234

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability


@Unfiltered1 wrote:

Hey Gomes!  How many times are you using the edit button?  I just opened my email program and there were 31 notices of replies to this thread.


 

Indeed, this guy does not know how to use as forum. He is practically the only one why creates multiple posts of one message.

 

But rather than being unkind, let me add a suggestion.

 

This forum is very good at remembering what you are writing.

 

If you make a mistake and close a window, or do something equally silly, or even Windows crashes, you can pick up where things went wrong.

 

Go back to the message you were answering and the forum software will ask if you want to reload your message. It misses very little if anything.

 

PS Apologies for going off topic, but it might help to preserve the collective sanity.

 

Message 224 of 234
hggomes
Tutor

Re: NETGEAR Routers and CVE-2016-582384 security vulnerability

I must agree with you, I definitely don't know how to use THIS forum, I'm not used to a forum where at every single edit you will end up flooding the users mailboxes, I never seen it happening on ANY other forum used before, Xenforo, Vbuletim, PHPBB, MyBB, etc.

 

Here's the issue, I usually remember later to add extra content to the initial post or simply notice that I need to fix something on the text (English is not my native language), I also noticed that this forum software does only allows the user to edit the post in 5-10m after posting, then the option will be removed, when that happens you will not be able to fix anything anymore or add any extra content to your previous post, which is something new to me, so the way it is it's the way it will end up, never seen anything like that.

 

michaelkenward 

 

Thank you for your post information.

Message 225 of 234
Top Contributors
Discussion stats
Announcements

Orbi WiFi 7