Reply

Re: R7000 & R6400 Vulnerability Note VU#582384

kochin
Luminary

R7000 & R6400 Vulnerability Note VU#582384

[When I created this post, I wasn't aware of the 2 discussions already on this topic:

 

Just saw this news:

 

An advisory posted on Friday in Carnegie Mellon University's public vulnerability database (CERT) said that Netgear's R7000 and R6400 routers, running current and recent firmware respectively, are vulnerable to an arbitrary command injection flaw.

 

Details of this vulnerability can be found at Vulnerability Note VU#582384.

 

The current recommendation is to stop using those routers. Unfortunately it's impossible for many users with only one router at hand. Is Netgear developing a fix and firmware update to combat this issue?

 

UPDATE:

It's very scary. I just tried the proof of concept on my router. It really worked and started a tenet service on the specified port without requring any authentication. Netgear'd better patch this up ASAP.

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 35

Accepted Solutions
ElaineM
NETGEAR Employee Retired

Re: R7000 & R6400 Vulnerability Note VU#582384

Hi All,

 

The Security Advisory for VU 582384 has been updated.

 

Also, for more information and update see the thread below.

 

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Two-leading-Netgear-routers-are-vulnerable-t...

ElaineM
NETGEAR Community Team

View solution in original post

Message 35 of 35

All Replies
GinaGerson
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Would be nice if Netgear responds and give some feedback when to expect an update. Can't find any official info anywhere.

Maybe I should leave there firmware and install the Kong Mod

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 2 of 35
SqueakyEye
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

This issue should be sticky at the top of the forum until resolved.

Message 3 of 35
germanus
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Why do we NOT hear from Netgear on thsi vulnerablity? Is it REAL or one of the "fashionable fake news" the internet is experiencing latley. If indeed this vulnerability exists Netgear should aknowledge it ASAP and tell us users what to do or not to do and by whne thye will have a fix

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 4 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

This issue is very real. I personally tested it out on my R7000. I also sent an email to Netgear Security team, but haven't heard from them. If you like, you can send an email to security@netgear.com to push them. Of course, Twitter is another good way.
Message 5 of 35
GinaGerson
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

You can for now try the solution I posted here.

Message 6 of 35
germanus
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Thanks kochin, just sent a mesage to the seurity team asking to confirm and let us know what to do untila  fix is issued.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 7 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

I got a response from Netgear this morning at 2:39am. They must be working hard to get it resolved. But, the message isn't saying much.

 

We appreciate you contacting us. Currently we are working on a fix and will get back to you when it’s available. Thanks.

If you have any questions or comments with regard to this information, please contact us at: security@netgear.com.

Sincerely,

Product Security Incident Response Team
Netgear, Inc

Message 8 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

So far the best workaround of this vulnerability I saw is detailed at http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/. Before you follow the procedure I suggest you to reboot your router first.

 

Message 9 of 35
germanus
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

I got exactly the same email response from the security team. While it is very general it looks like Netgear knows about it and îs working on a fix.

I will stay put and not switch to my Comcast router which has much lower WiFi speed. Just will be very careful not to open any link, alerted my wife to be diligent with suspicious looking emails. Let's hope the Netgear team comes up with something soon.

Message 10 of 35
mdgm-ntgr
NETGEAR Employee Retired

Re: R7000 & R6400 Vulnerability Note VU#582384


We (NETGEAR) are aware of the security issue #582384 affecting R6400, R7000, R8000 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384
We're working hard for a fix and will update the security ticket above soon.

Message 11 of 35
guilhermeofranc
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Hi,

 

The problem is also described here: https://securityledger.com/2016/12/vulnerability-prompts-warning-stop-using-netgear-wifi-routers/

 

You can see the IPs of affected routers by using this link: https://www.shodan.io/search?query=r7000

Message 12 of 35
mdgm-ntgr
NETGEAR Employee Retired

Re: R7000 & R6400 Vulnerability Note VU#582384

 

The Security Advisory has been updated with more information and beta firmware for some models.

Message 13 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

I downloaded the beta firmware R7000-V1.0.7.6_1.1.99.chk and updated my R7000 router. So far, with the beta firmware, the router seems to be working just like before. I have experienced no problems on my LAN, which includes a WiFi extender.

 

The security vulnerability appears to be fixed in this beta firmware. All tests of proof of concept reported back with "401 Unauthorized" as it should be.

 

Message 14 of 35
microchip8
Master

Re: R7000 & R6400 Vulnerability Note VU#582384

I find it really a terrible job if NG was notified of this issue months ago and did nothing until the person who discovered it went public and then NG had to act. Will make me think twice before I go with NG routers again and make me think thrice before recommending them, especially when ran on stock firmware

Routing: NETGEAR RAX43 - Firmware: V1.0.11.112 (1 Gbps down, 50 Mbps up)
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 20 TB
Message 15 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Yes, it's very sad that it has to become a bad publicity for Netgear to respond to this security vulnerability after more than 3 months. It really makes customers question Netgear's attitute toward securing their network products.

 

Message 16 of 35
germanus
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

We can only hope that Netgear is learning a lesson here like other high-tech companies did as Intel for example way back when they did not acknowledge their issue with the Pentium processors. But it is VERY disconcerting that with the news full of reports about hacks and privacy intrusions that Netgear has shown such a cavalier attitude on this issue. I have actually started to look for alternatives and might switch routers if Netgear does not release an official fix VERY SOON, read by the end of this week. I am not experienced enough to deal with beta firmware. Fortunately they are not the only "router game in town", and we have options as consumers.  So let's cross our fingers that Netgear gets its act together VERY quickly, I like the products but this lack of security concern is alarming.

Message 17 of 35
Chaz84
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

So I found out from a friend an article in Wired online that directs you to the Netgear site for a firmware beta fix for the Netgear security issue.  However, I downloaded the fix, but then it says to go to www.routerlogin.net in order to actually do the Firmware upgrade.  I do that but it says that I need to be connected to my router's WiFi network.  My computer does not have WiFi and I connect through an ethernet cable to the router.  I thought ethernet is what they recommend for downloading firmware upgrades as it should be a more consistent connection, but the Netgear site is telling me I can only connect over WiFi in order to upload the Firmware I just downloaded.   How do I then get the Firmware fix for this security issue if my only way to connect is via ethernet cable?  The routerlogin.net site is telling me I can only do that via a WiFi connection.....HELP.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 18 of 35
mdgm-ntgr
NETGEAR Employee Retired

Re: R7000 & R6400 Vulnerability Note VU#582384

If you know the I.P. address of the router you can just go to that instead e.g. http://192.168.1.1


The routerlogin.net is just a handy way to get to the router management page without needing to know the I.P. address. Both URLs are acceptable and work equally as well. I connected to my R7000 via I.P. to do the beta firmware upgrade and it worked fine.

 

If the R7000 is not your main router or not connected to the internet that would explain by the routerlogin.net link didn't work.

 

If the routerlogin.net can't redirect to your router's web admin interface then we present a web page providing generic advice as to what you could try.

 

It's correct that it is recommended to connect via ethernet to your router to do a firmware upgrade.

 

Welcome to the community!

Message 19 of 35
RMinNJ
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

"...

The Security Advisory has been updated with more information and beta firmware for some models. ..."

 

 

Will this firmware shut off the telnet backdoor to the router or should we file another security report for that ?

 

 

Message 20 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Not sure what telnet backdoor you were talking about. Did you mean the telnetd running at your router after you tested the proof of concept? Simply power your router off and then on, and it will be gone.


@RMinNJ wrote:

Will this firmware shut off the telnet backdoor to the router or should we file another security report for that ?


 

Message 21 of 35
RMinNJ
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

Yes, but someone can send the "magic packet" to the router and telnet will be on again.    I think the premise of the security lies in

the fact that that packet has to have the correct admin password?    Would prefer if this turn on daemons via magic packets feature could be disabled..

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 22 of 35
ElaineM
NETGEAR Employee Retired

Re: R7000 & R6400 Vulnerability Note VU#582384

Hi All,

 

The Security Advisory for VU 582384 has been updated.

Also, for more information see the link below.

 

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Two-leading-Netgear-routers-are-vulnerable-t...

ElaineM
NETGEAR Community Team
Message 23 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

@RMinNJ

Once I updated my R7000 with the beta firmware, I can no longer use the exploit to execute commands on my router. It wouldn't allow me even after I entered my username and password. I think that's a very good sign they've patched up the security hole.

 

Message 24 of 35
kochin
Luminary

Re: R7000 & R6400 Vulnerability Note VU#582384

@ElaineM

Thank you for the update. It shows that Netgear has the courage to admit their own mistake. I'll take that as a promising indication that Netgear will learn from this incident.

 

Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part.

Message 25 of 35
Top Contributors
Discussion stats
  • 34 replies
  • 14896 views
  • 20 kudos
  • 12 in conversation
Announcements

Orbi WiFi 6E