NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R7000 Vulnerability Note VU#582384
It has been reported on various outlets that there is a vulnerability with the R7000 and R6400 routers. Please see https://www.kb.cert.org/vuls/id/582384 . The advisor reads "Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."
This is NOT a practical solution for me or many others.
I can't find anything on the Netgear website about this issue and how they intend to resolve it.
Can anyone advise as to the status of this problem and share any information and advise ?
Thanks
JMK
Hi All,
The Security Advisory for VU 582384 has been updated.
Also, for more information see the link below.
45 Replies
Replies have been turned off for this discussion
Agreed, am in the same boat, what a ridiculous solution: stop using it. Guess I'll just go buy another $200-300 router...oh wait...
At any rate, am needing netgear to hotfix this asap...I have an R7300DST which i'm guessing without trying the exploit, is probably vulnerable.
Is netgear "working on a fix" or even acknowledging this issue yet?
More importantly, is there i way i can be notified if a new firmware is released? I don't want to have to remember to check once a day.
-Rob
Don't know if Netgear is working on a solution. I will assume that they are. I can find NO acknowledgment of the problem by Netgear on their website or online. ZDnet has a bulletin out on this in which they say that they contacted Netgear and did not get a response. Please see http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/
Yes, we need to keep saying something about this until its fixed asap.
Would it be possible to use the option to block internet sites
to block the RouterIP addresses that cause the vulnerability?
It might, but I can't make it work. Anybody?
Of course, this would just provide a temporary workaround until NetGear gets their act together.
Another idea to try to push them on Twitter: LET'S ALL SHOUT AT THEM : @NETGEAR
I just sent this tweet:
netgear Please immediately provide fix to R6400 and R7000 vulnerability! http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ Customers: don't buy until this is fixed!
BvdRee
I don't think blocking the routers ip address from the router would help -- The problem is accessing the router from your in-home network,most like at 192.168.1.1 address. They get you to open a web page that has a frame that goes to that address and opens a port (or whatever else it may want to do) and once that port is open it is open to external network.
What _might_ work, is somehow blocking 192.168.1.1 (or whatever your router address is) from all of your potential web browsing applications, so they can't issue commands to the router without you consciously turning that off.
I do not do this myself, and suspect you'd have to be good at working your firewall software on your laptop to block this -- and i suspect it would be an annoyance if you did need the web interface of router (I like to use it to check IP addresses on attached devices).
-Rob
I just posted this on the other thread regarding this exploit: I tested the exploit on my router which is running firmware version V1.0.3.68_1.1.31 . The string resulted in the router requesting the admin password and then failing to the "Unauthorized Access" screen. The command after the semicolon did not appear to be executed. Unfortunately, I could only test on my local network, so I cannot confirm that this a "universal fix", but it may be a work around while NetGear cooks up a fix.
Safe surfing...
The "Twitter Campaign" is a good idea. I would encourage readers of this thread that are affected by this problem to post Tweets to @netgear .
BvdRee I like the Twitter idea, but we need a hashtag as well. How about #NetgearBrokenSecurity?
Or #NetgearSevereSecurityFlaw ...
I don't understand why Netgear does not communicate at all. My (other brand) NAS receives updates regularly, even today.
For me, if they can't be trusted to patch vulnerabilities quickly then this will be my last netgear product. R7000 was release Oct. 1 2013 so the router isn't old enough to not have security patches. I had the linksys wrt54g for like 10 years strong.
In complete fairness to Netgear, yesterday was the day that CERT released this vulnerability note. Let's say they did come up with a fix, it would probably a period of testing internally before safely releasing this to the general public, there's nothing worse a company can do to their reputation with users than fix something that breaks something else that was working.
20 years ago I used to be a CERT coordinator for a computer company (we had our own UNIX-based OS) and there's a process from getting the vulnerability, to determining which if any devices are vulnerable, to submitting it to an internal database of issues, to it being prioritized by management and assigned, to the investigation of cause, to the development of a fix, to making sure that fix doesn't negatively affect users, and of course to packaging and distributing the fix.
While I agree with your comments, I think a simple acknowledgent of the issue by Netgear is in order and would serve to let owners know that they're working on the problem.
There are a lot of people that are of the same opinion. I strongly urge you and others to tweet @netgear to voice your displeasure. The Netgear twitter page is getting bombarded with complaints. Curiously, not a single word out of Netgear.
- It would not show up on web interface. The sample just runs the telnet daemon which runs in background as a process. Try running a telnet to the router on the port.
robwilkens--
Thank you for pointing out these issues:
robwilkens wrote:
It would not show up on web interface. The sample just runs the telnet daemon which runs in background as a process. Try running a telnet to the router on the port.I went back and attempted to connect to the router with a putty telnet session. The connection was refused from both LAN and Internet IP addresses and from both the default ports and port 45. I think at this point I am reasonably convinced that the firmware does not respond to THIS aspect of the exploit, but may be vulnerable to others. I cannot disconnect my router, so I will just practice caution.
C.L
Quite easy workaround for this vulnerability:
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
This will be my last netgear product- very disappointing...
I wasn't successful in the telnetd variant of this exploit, but was successful in shutting down the web interface using bas996's link. Thanks for link. I'm guessing the telnetd may not be successful, but apparently 'kill' is, so perhaps other commands are as well. I rarely reboot the router, so this will have to work for now.
this workaround posted by Bas996 above seems to work for me. Thank you!! Now I feel a bit more comfortable while waiting for Netgear.
- I have no expertise on the matter but the "fix" suggested by the ones who does (not using the router) give me an idea about how serious and potentially dangerous this is for home and business customers. Since vulnerabilities are impossible to prevent, trust in a tech company is built upon how it face them. No acknowledgement, reassurance, advise, temporary fix or any kind or word for that matter is a bad PR practice IMHO. This products appeal to the informed user (power user, professional etc..). That portion of the market composed of customers willing to spend an extra for performance and reliability. That is why I think Netgear is working hard on this. If they'd offer no fix I think most of us would stay away from their products in the near future and we would be right In the meantime, thank you very much for this temporary fix: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/comment-page-1/#comment-180
This is an insane vunerability that is super easy to exploit. It doesn't even require the user to be logged in. I demand to know when this is going to be fixed.
yeah, they could at least acknowledge the issue.
Well, by now most of you have seen the official Netgear status of this issue. They've released beta versions of a production fix for several models. Have any of you folks installed the beta versions and if so what have you experienced? Thank you.
I'm running it on my R7000 which I'm currently using just as an AP and it's working fine for me.
Others have also installed it. See e.g. https://community.netgear.com/t5/Nighthawk-WiFi-Routers/The-last-straw-new-vulnerability-for-R7000-R6400-R8000/m-p/1187234#M44417
Hi All,
The Security Advisory for VU 582384 has been updated.
Also, for more information see the link below.
I see Netgear has released a beta fix for this. I have a Mac mini which uses OSX. Netgear Router R7000 AC 1900. Instructions say to download it and save it to my desktop and then follow instructions. I downloaded the fix and I get a message that says Safari can't open it and it advises me to download an app that will. ???? What app would that be?
Thanks
- Richard284
The file you downloaded is a firmware file. Ignore what Safari told you, and continue to follow the instructions on http://kb.netgear.com/000036453/R7000-Firmware-Version-1-0-7-6-Beta. Basically you log in your router via Web interface and use it to update its firmware.Thank you
