Reply

R7500v1 Zebra VTY Vunerability

BlankAlpha
Aspirant

R7500v1 Zebra VTY Vunerability

Hi All,

 

Just in case anyone has this router.

 

You are vunerable over telnet port 2601. (Zebra Service's default password hasn't been changed. This service potentially could route your internet connection through any unsecure server creating a permanent MITM without your knoweldge).

 

To fix this vunerability telnet into your router using the username "zebra" and password "zebra" (see the vunerability now?)

 

To update the password after logging in:

1. "enable"

2. it prompts for password, enter "zebra"

3. write "write terminal"

4. write "configure terminal"

5. write "password [newpassword here]" (Changes Telnet Password)

6. write "enable password [newpassword here]" (Changes enable password)

7. Vunerability should be fixed. Crtl-z, "quit"

 

Here is the walkthrough of all commands for Zebra VTY:

http://www.nongnu.org/quagga/docs/quagga.html#Config-Commands

Model: R7500|Nighthawk X4 AC2350 Smart WiFi Router
Message 1 of 6
ElaineM
NETGEAR Employee Retired

Re: R7500v1 Zebra VTY Vunerability

We strongly recommend that you submit any security vulnerability concerns to security@netgear.com so that our security advisory team can verify it and provide resolution. 

 

Thank you!

ElaineM
NETGEAR Community Team
Message 2 of 6
BlankAlpha
Aspirant

Re: R7500v1 Zebra VTY Vunerability

I have. Unfortunately they haven't responded.

They might have their hands full with the URL vulnerability that lets anyone take over the router with simple well crafted HTTP requests.

I might be returning this router for something more secure. It doesn't appear Netgear takes security seriously.

Message 3 of 6
mediatrek
Virtuoso

Re: R7500v1 Zebra VTY Vunerability


@BlankAlpha wrote:

I have. Unfortunately they haven't responded.

They might have their hands full with the URL vulnerability that lets anyone take over the router with simple well crafted HTTP requests.

I might be returning this router for something more secure. It doesn't appear Netgear takes security seriously.


 

The R7500v1 is EOL (End of Life), so I would expect hell to freeze over before any vulnerability gets properly fixed within the stock Netgear firmware.  

Message 4 of 6
mdgm-ntgr
NETGEAR Employee Retired

Re: R7500v1 Zebra VTY Vunerability

We've promptly dealt with the URL vulnerability and we found that the R7500v1 is not affected.

 

We do take security very seriously.

 

In any case you've found what you consider a workaround for what you consider to be a security vulnerability.

 

Our security advisory team does need time to consider and investigate reports.

 

Products that are EOL may still receive firmware updates e.g. if we determine that security fixes are needed.

Message 5 of 6
BlankAlpha
Aspirant

Re: R7500v1 Zebra VTY Vunerability

That is great news.

I hope this is also patched.

I am pretty sure what I consider as a Security Vulnerability is what everyone else considers a security vulnerability.

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 9106 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi WiFi 6E