Reply
Guide
Posts: 8
Registered: ‎2016-12-09
Accepted Solution

R7000 Vulnerability Note VU#582384

It has been reported on various outlets that there is a vulnerability with the R7000 and R6400 routers. Please see https://www.kb.cert.org/vuls/id/582384 .  The advisor reads "Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."  

This is NOT a practical solution for me or many others. 

I can't find anything on the Netgear website about this issue and how they intend to resolve it. 

Can anyone advise as to the status of this problem and share any information and advise ?
Thanks

JMK


Accepted Solutions
NETGEAR Moderator
Posts: 5,866
Registered: ‎2015-07-08

Re: R7000 Vulnerability Note VU#582384

Hi All,

 

The Security Advisory for VU 582384 has been updated.

 

Also, for more information see the link below.

 

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Two-leading-Netgear-routers-are-vulnerable-t...

ElaineM
Community Team

View solution in original post


All Replies
Tutor
Posts: 3
Registered: ‎2012-02-20

Re: R7000 Vulnerability Note VU#582384

Agreed, am in the same boat, what a ridiculous solution: stop using it. Guess I'll just go buy another $200-300 router...oh wait...
At any rate, am needing netgear to hotfix this asap...

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

I have an R7300DST which i'm guessing without trying the exploit, is probably vulnerable.

 

Is netgear "working on a fix" or even acknowledging this issue yet?

 

More importantly, is there i way i can be notified if a new firmware is released?  I don't want to have to remember to check once a day.

 

-Rob

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

Don't know if Netgear is working on a solution. I will assume that they are.  I can find NO acknowledgment of the problem by Netgear on their website or online. ZDnet has a bulletin out on this in which they say that they contacted Netgear and did not get a response. Please see http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

I know of no way that a Netgear user can be automatically notified of a new software/firmware update. Perhaps someone following this thread can chime in. Thanks.

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

Confirmed the router is set to auto-update in the early morning hours automatically.  Presuming that works as advertised, the important thing is knowing a fix is coming.

Tutor
Posts: 3
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

Yes, we need to keep saying something about this until its fixed asap.

Initiate
Posts: 2
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

Would it be possible to use the option to block internet sites 

http://kb.netgear.com/24053/How-do-I-block-internet-sites-on-my-router-using-the-NETGEAR-genie-user-...

to block the RouterIP addresses that cause the vulnerability?

It might, but I can't make it work. Anybody?

 

Of course, this would just provide a temporary workaround until NetGear gets their act together. 

 

Another idea to try to push them on Twitter: LET'S ALL SHOUT AT THEM : @NETGEAR

 

I just sent this tweet:

@netgear Please immediately provide fix to R6400 and R7000 vulnerability! http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ Customers: don't buy until this is fixed!

 

BvdRee

 

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

I don't think blocking the routers ip address from the router would help -- The problem is accessing the router from your in-home network,most like at 192.168.1.1 address. They get you to open a web page that has a frame that goes to that address and opens a port (or whatever else it may want to do) and once that port is open it is open to external network.  

 

What _might_ work, is somehow blocking 192.168.1.1 (or whatever your router address is) from all of your potential web browsing applications, so they can't issue commands to the router without you consciously turning that off.

 

I do not do this myself, and suspect you'd have to be good at working your firewall software on your laptop to block this -- and i suspect it would be an annoyance if you did need the web interface of router (I like to use it to check IP addresses on attached devices).

 

-Rob

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

The "Twitter Campaign" is a good idea. I would encourage readers of this thread that are affected by this problem to post Tweets to @netgear .  

 

 

Tutor
Posts: 3
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

[ Edited ]

For me, if they can't be trusted to patch vulnerabilities quickly then this will be my last netgear product. R7000 was release Oct. 1 2013 so the router isn't old enough to not have security patches. I had the linksys wrt54g for like 10 years strong.

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

In complete fairness to Netgear, yesterday was the day that CERT released this vulnerability note.  Let's say they did come up with a fix, it would probably a period of testing internally before safely releasing this to the general public, there's nothing worse a company can do to their reputation with users than fix something that breaks something else that was working.

 

20 years ago I used to be a CERT coordinator for a computer company (we had our own UNIX-based OS) and there's a process from getting the vulnerability, to determining which if any devices are vulnerable, to submitting it to an internal database of issues, to it being prioritized by management and assigned, to the investigation of cause, to the development of a fix, to making sure that fix doesn't negatively affect users, and of course to packaging and distributing the fix.

Guide
Posts: 6
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

I just posted this on the other thread regarding this exploit:  I tested the exploit on my router which is running firmware version V1.0.3.68_1.1.31 .  The string resulted in the router requesting the admin password and then failing to the "Unauthorized Access" screen.  The command after the semicolon did not appear to be executed.  Unfortunately, I could only test on my local network, so I cannot confirm that this a "universal fix", but it may be a work around while NetGear cooks up a fix.

 

Safe surfing...

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

Just because you got an error message does not mean the command wasn't executed, you might not see the output of the command in the web browser..  I would check if any ports were openned by, for example, if your command ran telnetd then telnet to that port to see if it was open.  I'm not about to do this on my router on purpose. I suspect if i did this, a reboot might close the port again as nothing was done to make telnetd start automatically on boot..

Guide
Posts: 6
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

[ Edited ]

I tried both the ls and telnet commands.  And both versions of the string on the exploit-db website (with and without the cgi-bin directory).  The ls command did not execute in either case and no telnet port showed up in the Port-Routing or Services table.  However, the behavior of the router was different depending on whether the exploit string included the cgi-bin directory: if the directory was included, then the router returned a "Resource Not Found" error; if not, then the admin password was requested.

 

I admittedly do not have the experience to reach any sort of conclusion regarding the differences in the router's behavior.

 

I only tested this because I only have one router and cannot realistically take it offline for days or weeks.  Thus, at best, this is a risky work-around, not a solution.

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

It would not show up on web interface. The sample just runs the telnet daemon which runs in background as a process. Try running a telnet to the router on the port.
Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

There are a lot of people that are of the same opinion. I strongly urge you and others to tweet @netgear to voice your displeasure. The Netgear twitter page is getting bombarded with complaints. Curiously, not a single word out of Netgear.

Guide
Posts: 8
Registered: ‎2016-12-09

Re: R7000 Vulnerability Note VU#582384

While I agree with your comments, I think a simple acknowledgent of the issue by Netgear is in order and would serve to let owners know that they're working on the problem.

Tutor
Posts: 3
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

Quite easy workaround for this vulnerability:

 

 

http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/

 

This will be my last netgear product- very disappointing...

Guide
Posts: 6
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

robwilkens--

 

Thank you for pointing out these issues:

 


robwilkens wrote:
It would not show up on web interface. The sample just runs the telnet daemon which runs in background as a process. Try running a telnet to the router on the port.

I went back and attempted to connect to the router with a putty telnet session.  The connection was refused from both LAN and Internet IP addresses and from both the default ports and port 45.  I think at this point I am reasonably convinced that the firmware does not respond to THIS aspect of the exploit, but may be vulnerable to others.  I cannot disconnect my router, so I will just practice caution.

 

C.L

Tutor
Posts: 3
Registered: ‎2016-04-25

Re: R7000 Vulnerability Note VU#582384

I wasn't successful in the telnetd variant of this exploit, but was successful in shutting down the web interface using bas996's link.  Thanks for link.  I'm guessing the telnetd may not be successful, but apparently 'kill' is, so perhaps other commands are as well.  I rarely reboot the router, so this will have to work for now.

Initiate
Posts: 1
Registered: ‎2016-12-11

Re: R7000 Vulnerability Note VU#582384

If you change that command a bit then opening a telnet connection works.

 

You can then connect as root without typing any password.

 

Plus the built-in webserver is running as root as well.

 

Please guys this is insane. Who does that?

 

@netgear, get a fix out immediately!

Highlighted
Initiate
Posts: 2
Registered: ‎2016-12-10

Re: R7000 Vulnerability Note VU#582384

[ Edited ]

this workaround posted by Bas996 above seems to work for me. Thank you!! Now I feel a bit more comfortable while waiting for Netgear.

Tutor
Posts: 3
Registered: ‎2016-12-11

Re: R7000 Vulnerability Note VU#582384

I have no expertise on the matter but the "fix" suggested by the ones who does (not using the router) give me an idea about how serious and potentially dangerous this is for home and business customers. Since vulnerabilities are impossible to prevent, trust in a tech company is built upon how it face them. No acknowledgement, reassurance, advise, temporary fix or any kind or word for that matter is a bad PR practice IMHO. This products appeal to the informed user (power user, professional etc..). That portion of the market composed of customers willing to spend an extra for performance and reliability. That is why I think Netgear is working hard on this. If they'd offer no fix I think most of us would stay away from their products in the near future and we would be right In the meantime, thank you very much for this temporary fix: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/com...
Initiate
Posts: 2
Registered: ‎2016-12-11

Re: R7000 Vulnerability Note VU#582384

This is an insane vunerability that is super easy to exploit. It doesn't even require the user to be logged in. I demand to know when this is going to be fixed.

Discussion Stats
Top Contributors