Orbi WiFi 7 RBE973
Reply

Security Hotfix for X10 R9000?

alokeprasad
Mentor

Security Hotfix for X10 R9000?

What security fixes are in https://kb.netgear.com/000061091/R9000-Firmware-Version-1-0-4-36-Hot-Fix

Any zero day exploits?

 

The router firmware shows no new available updates, probably because the above is still in beta. I normally avoid beta software.

But if this is an urgent hot-fix, then maybe I should install it ...

 

Is it worth installing this beta firmware? 

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 1 of 10

Accepted Solutions
alokeprasad
Mentor

Re: Security Hotfix for X10 R9000?

Did some more searching:

https://www.netgear.com/search-netgear.aspx?cn=security_collection&rf=document_type:Security%20Advis...

 

This could be https://kb.netgear.com/000061024/Security-Advisory-for-KCodes-NetUSB-Unauthenticated-Remote-Kernel-V...

 

If you Google the CVE codes below, you get

Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5016)

An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.

 

Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5017)

An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.

 

So, the information is out there, including on Netgear's own security page (thank goodness for that!).

So, how about including this on the firmware download page?!?

 

==

Associated CVE IDs: CVE-2019-5016; CVE-2019-5017

NETGEAR has released firmware fixes or hotfixes for KCodes NetUSB unauthenticated remote kernel information disclosure and arbitrary memory read security vulnerabilities on the following product models:

  • D6000 running firmware versions prior to v1.0.0.78
  • D6400 running firmware versions prior to v1.0.0.88
  • D7800 running firmware versions prior to v1.0.1.56
  • DC112A running firmware versions prior to v1.0.0.44        
  • EX6200 running firmware versions prior to v1.0.3.90         
  • EX6200v2 running firmware versions prior to v1.0.1.78     
  • EX8000 running firmware versions prior to v1.0.1.202       
  • R6250 running firmware versions prior to v1.0.4.38_BETA
  • R6400 running firmware versions prior to v1.0.1.50
  • R7300DST running firmware versions prior to v1.0.0.74_BETA
  • R7500v2 running firmware versions prior to v1.0.3.41_BETA
  • R7800 running firmware versions prior to v1.0.2.63_BETA
  • R7900 running firmware versions prior to 1.0.3.14_10.0.40_BETA
  • R8000 running firmware versions prior to 1.0.4.38_10.1.59_BETA
  • R8900 running firmware versions prior to v1.0.4.36_BETA
  • R9000 running firmware versions prior to v1.0.4.36_BETA
  • WNDR4300v2 running firmware versions prior to v1.0.0.60_BETA          
  • WNDR4500v3 running firmware versions prior to v1.0.0.60_BETA          
  • XR500 running firmware versions prior to v2.3.2.56
  • XR700 running firmware versions prior to v1.0.1.18_BETA           

==

 

View solution in original post

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 9 of 10

All Replies
myersw
Master

Re: Security Hotfix for X10 R9000?

Typical care to detail that Netgear shows. Smiley Happy Doc with the firmware says security fixs. A simple what fixes are included in the doc would have been nice since they know, hopefully, what they fixed. 

Message 2 of 10
SScandy
Luminary

Re: Security Hotfix for X10 R9000?

About a month ago. I started a thread about this:

v1.0.4.36 Hot Fix

 

In that thread, I asked a lot of the same questions that you did. As you can see, Netgear did not provide any information about this "Hot Fix". I have no idea who this hot fix is directed towards, and no idea whether or not to install it.

 

Also, did you notice that the date on the v1.0.4.34 release is actually later than the date for v1.0.4.36 (does not seem logical that v1.0.4.36 is older than v1.0.4.34).

 

Once again, we are left with no information to make a sensible decision whether or not to install this hot fix.

Message 3 of 10
Binkerman
Aspirant

Re: Security Hotfix for X10 R9000?

I noticed those same things. Hmmm, beta? I'm not a beta kinda girl. Beta....."Hot Fix"?! For a security vulnerability? No thanks. The non-sequential dates are another sign it'll be best for me to put off updating even to v1.0.4.34.

Message 4 of 10
antinode
Guru

Re: Security Hotfix for X10 R9000?

> [...] Beta....."Hot Fix"?! For a security vulnerability? No thanks.
> [...]

 

   For a serious security vulnerability, a "Hot Fix" may be exactly what
you want.  Waiting to the next normal release leaves you vulnerable
longer.

 

   However, given the dearth of useful info in Netger firmware release
notes, the mystery is whether some new "beta" release introduces
exciting new bugs along with the solution for the security
vulnerability.

 

> [...] The non-sequential dates are another sign [...]

 

   If you're looking at the dates on some documents, then you may be
seeing a sign that someone found a typographical error in a document,
and changed that document.  If you want to know about the actual
firmware files, then fetch the firmware kits, and look at the dates on
the files in the zip archives.

Message 5 of 10
Binkerman
Aspirant

Re: Security Hotfix for X10 R9000?

My purpose for being on the site was to download firmware & security updates, because I well-understand security vulnerabilities, their fixes, and hot fixes. Hot fixes are meant to fix a problem in a hurry. Betas, GENERALLY, are for testing & finding bugs. Imo, Beta + Hot Fix implies a hot fix not ready for prime time. I live in a remote area, and can't risk bricking my router. I'll wait for the final release.
Message 6 of 10
antinode
Guru

Re: Security Hotfix for X10 R9000?

> [...] Imo, Beta + Hot Fix implies a hot fix not ready for prime time.

 

   My opinion is that Netgear firmware is seldom reliable when formally
released.  I wouldn't bet that any particular beta release would be any
better or worse than any particular formal release.  However, if it's
promoted as a "Hot Fix", then one might reasonably infer that someone,
someplace, is willing to imply that it's an improvement over something.

 

> [...] I live in a remote area, and can't risk bricking my router. I'll
> wait for the final release.

 

   Not knowing exactly what "bricking my router" means to you, I'd
expect that any particular firmware load operation would be about as
likely as any other to cause it, regardless of the beta-ness of the
firmware image being loaded.

 

   From the reports which I've read here, such failures seem to occur as
a result of the load procedure, which may depend more on what's loaded
now than on what's about to replace it.  The same firmware image (when
loaded using the TFTP recovery scheme after an update failure) seems to
work about as expected, no matter what happened before.

 

   I doubt that anyone here knows the actual cause of these failures
(which seem to be getting more frequent with time), so evidence for any
speculation about how to avoid them is very sparse.  Folk tales are much
more abundant than actual evidence.

 

   Never updating is a pretty good system for avoiding update failures,
but it has its costs, too.  Your policy is, of course, up to you.

Message 7 of 10
alokeprasad
Mentor

Re: Security Hotfix for X10 R9000?

Or, like I suggested in the OP:

Netgear could/should disclose vulnerabilities, especially zero-day ones, like the more reputed companies do.  It has _some_ on their security page https://www.netgear.com/about/security/ and https://www.us-cert.gov/ncas/bulletins

And tell us which one of those is being addressed in the "hotfix" (which implies a certain sense of urgency (speed over rigor in testing) of release)

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 8 of 10
alokeprasad
Mentor

Re: Security Hotfix for X10 R9000?

Did some more searching:

https://www.netgear.com/search-netgear.aspx?cn=security_collection&rf=document_type:Security%20Advis...

 

This could be https://kb.netgear.com/000061024/Security-Advisory-for-KCodes-NetUSB-Unauthenticated-Remote-Kernel-V...

 

If you Google the CVE codes below, you get

Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5016)

An exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.

 

Current Description (https://nvd.nist.gov/vuln/detail/CVE-2019-5017)

An exploitable information disclosure vulnerability exists in the KCodes NetUSB.ko kernel module that enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. An unauthenticated, remote attacker can craft and send a packet containing an opcode that will trigger the kernel module to return several addresses. One of which can be used to calculate the dynamic base address of the module for further exploitation.

 

So, the information is out there, including on Netgear's own security page (thank goodness for that!).

So, how about including this on the firmware download page?!?

 

==

Associated CVE IDs: CVE-2019-5016; CVE-2019-5017

NETGEAR has released firmware fixes or hotfixes for KCodes NetUSB unauthenticated remote kernel information disclosure and arbitrary memory read security vulnerabilities on the following product models:

  • D6000 running firmware versions prior to v1.0.0.78
  • D6400 running firmware versions prior to v1.0.0.88
  • D7800 running firmware versions prior to v1.0.1.56
  • DC112A running firmware versions prior to v1.0.0.44        
  • EX6200 running firmware versions prior to v1.0.3.90         
  • EX6200v2 running firmware versions prior to v1.0.1.78     
  • EX8000 running firmware versions prior to v1.0.1.202       
  • R6250 running firmware versions prior to v1.0.4.38_BETA
  • R6400 running firmware versions prior to v1.0.1.50
  • R7300DST running firmware versions prior to v1.0.0.74_BETA
  • R7500v2 running firmware versions prior to v1.0.3.41_BETA
  • R7800 running firmware versions prior to v1.0.2.63_BETA
  • R7900 running firmware versions prior to 1.0.3.14_10.0.40_BETA
  • R8000 running firmware versions prior to 1.0.4.38_10.1.59_BETA
  • R8900 running firmware versions prior to v1.0.4.36_BETA
  • R9000 running firmware versions prior to v1.0.4.36_BETA
  • WNDR4300v2 running firmware versions prior to v1.0.0.60_BETA          
  • WNDR4500v3 running firmware versions prior to v1.0.0.60_BETA          
  • XR500 running firmware versions prior to v2.3.2.56
  • XR700 running firmware versions prior to v1.0.1.18_BETA           

==

 

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 9 of 10
alokeprasad
Mentor

Re: Security Hotfix for X10 R9000?


@Binkerman wrote:
My purpose for being on the site was to download firmware & security updates, because I well-understand security vulnerabilities, their fixes, and hot fixes. Hot fixes are meant to fix a problem in a hurry. Betas, GENERALLY, are for testing & finding bugs. Imo, Beta + Hot Fix implies a hot fix not ready for prime time. I live in a remote area, and can't risk bricking my router. I'll wait for the final release.

From https://kb.netgear.com/000061024/Security-Advisory-for-KCodes-NetUSB-Unauthenticated-Remote-Kernel-V...

==

The firmware versions that end in “_BETA” are security hotfixes. Security hotfixes are beta firmware created outside of normal development and testing processes. While the hotfixes do fix the security vulnerabilities identified above, they could negatively affect the regular operation of your device. Though our pre-deployment testing process did not indicate that these hotfixes would impact device operability, we always encourage our users to monitor their device closely after installing the firmware hotfix.

NETGEAR strongly recommends that you download the latest firmware fixes or hotfixes for these product models as soon as possible.

==

 

So, they haven;t tested the Hotfix as much as even a beta release (they they presumably send to those who have signed up as beta-testers).

FWIW

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 2087 views
  • 0 kudos
  • 5 in conversation
Announcements

Orbi WiFi 7