Reply

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

DarrenM
NETGEAR Moderator

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

@djasond23  Have you tried the TFTP way to update the firmware?

 

https://kb.netgear.com/000059633/How-to-upload-firmware-to-a-NETGEAR-router-using-TFTP-client

 

DarrenM

Message 151 of 196
schumaku
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ


@djasond23 wrote:

I see the hotfix for this, but you guys still haven't addressed the firmware install issues for Nighthawk R7960P from the last general firmware release in addition to this hotfix not installing either.


Fot "this"? The R7960P is t listed in the iniital post nor on the related KB entry.

 

Because Netgear is still unable to maintain Release Notes properly - sticking with this nonsense "fixed various security nissues" (and no information neither in their own vulnerability numbers not the VVE ones for reference: Without checking the source code (probably nnot available byet ...) we can't say if this model is affected but not listed, or whatever other security nissues have been fixed.

 

@ChristineT @Christian_R please ensure AGAIN that the release notes show traceable information. This lack of security relevant information is no longer acceptable in the year 2020 - a d can't be compliant to the quality assurance systems Netgear does claim to comply.

 

 

Message 152 of 196
djasond23
Guide

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

@DarrenM

 

Yes, I've followed that doc perfectly and it doesn't work. Tried it several times including having a continous ping going to the router to ensure connectivity and was also able to telnet to port 69 to confirm port was open.

 

In the doc you supplied for number #4, step 7, "Watch the Power LED. It will start with an orange color and then start flashing."

 

Model R7960P power led never flashing at any point. It starts off solid amber then simply goes to solid white. Nevertheless, I tried the tftp upload at numerous times in the boot process.

 

Something was wrong with model R7960P before the new hotfix release.. you guys still have not address the last general firmware release install issue customers are complaining in this thread > Re: R7960P firmware not upgrading

 

The real question is, have YOU, @DarrenM or anyone else at Netgear tried these firmware updates on model R7960P with the tftp method? Are you sucessful?

 

Message 153 of 196
djasond23
Guide

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ


@schumaku wrote:

@djasond23 wrote:

I see the hotfix for this, but you guys still haven't addressed the firmware install issues for Nighthawk R7960P from the last general firmware release in addition to this hotfix not installing either.


Fot "this"? The R7960P is t listed in the iniital post nor on the related KB entry.

 

Because Netgear is still unable to maintain Release Notes properly - sticking with this nonsense "fixed various security nissues" (and no information neither in their own vulnerability numbers not the VVE ones for reference: Without checking the source code (probably nnot available byet ...) we can't say if this model is affected but not listed, or whatever other security nissues have been fixed.

 

@ChristineT @Christian_R please ensure AGAIN that the release notes show traceable information. This lack of security relevant information is no longer acceptable in the year 2020 - a d can't be compliant to the quality assurance systems Netgear does claim to comply.

 

 


The hotfix is listed on the R7960P software download page!

Message 154 of 196
MauleGuy
Star

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Ok, have looked up my "Hot Fix" and it looks to be: R7900-V1.0.4.24_10.0.45_beta.zip

 

My router is currently running Firmware: V1.0.3.18_10.0.42

 

Is V1.0.4.24_10.0.45 going to be released as a non-beta version or do we download a piece of beta software and hope for the best?

 

I I made sure the the Access Control box is not ticked.

 

My basic quesion is if my router seems to be working just fine and turning off Access Control solves the immediate Security vulnerability, then why should I attempt to install a beta version firmware?

 

If I choose to do it, I am assuming I unzip the file and install it from the hard drive from the Highlighted tool.

 

Router update.png

Model: R7900|Nighthawk X6 AC3000 Tri-Band WiFi Router
Message 155 of 196
Ugatar
Aspirant

Re: UPDATED 6/23/20: Important Security Advisory Notification: Information on affected NETGEAR produ

How old was your router?

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 156 of 196
Ugatar
Aspirant

Re: UPDATED 6/23/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Yesterday I installed a new 600mb at the office and while doing that I went to the interface to look at something, I notice a firmware available and decided to run. 5:30pm on a Friday it was a REALLY BAD IDEIA! I have done this procedure without any issues for years, I have this router since was released years ago but for some reason after complete the upgrade the device wouldn't connect to the internet. I reboot the router and hell started. The router is in this eternal loop of rebooting. At first, I was able to hardwire and ping without a problem, I have a Mac so was trying several ways to TFTP and load the firmware, No luck. Called netgear and the want $$$. This morning I tried again and after a few attempts just gave up and paid. I was a bad decision, their staff on read a script, they do not have any qualification to troubleshoot, the lady did not know how to get the static IP on a Mac since one option wasn't available. She decided to transfer me to a level 2 but after 45 min waiting, she told me that no one was available and that I had to call later or during weekdays.  She told me that if I had a Windows computer it would be easier. Sooooo the stupid me drove to the parent house to use a PC, called Netgear again and after 35 minutes on hold I had already performed several tries the tech just started everything over and over again like there was no notes about the 1st call. He tried again to connect to level 2 and again was informed no one was available today. He tried to do the TFTP and at one point got tired and told him that everything he was reading I have done. The PING response time out 70% of the time.

 

If someone finds a solution great, otherwise I will have to buy a new router. Netgear just released an update that BROKE MY ROUTER. This is unbelievable. 

 

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 157 of 196
antinode
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

> I I made sure the the Access Control box is not ticked.

 

   Why?  Read it again?  "Access Control" and "Remote Management" are
spelled differently for a reason.

 

> [...] why should I attempt to install a beta version firmware?

 

   Because it is supposed to fix the actual problem, and you apparently
can't reliably follow the instructions for the work-around?

 

> If I choose to do it, I am assuming I unzip the file and install it
> from the hard drive from the Highlighted tool.

 

   Probably, if "it" means the firmware image file from the zip archive.
If the User Manual for your router doesn't cover the details, then see:

 

      https://kb.netgear.com/23960

 

   Note that embedding a picture that way adds delay; others can't see
it until it's approved by a moderator.  An all-text description like,
say, ADVANCED > Administration > Router Update, would be clearer sooner.

Message 158 of 196
MauleGuy
Star

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

 
 
Antinode: I can't tell you how impressed I am with some snide Schmuck answering a ligitimate question.
 
 
 
 
Model: R7900|Nighthawk X6 AC3000 Tri-Band WiFi Router
Message 159 of 196
antinode
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

> [...] I can't tell you how impressed I am [...]

 

   I can believe that.  You're welcome.  PS: It's "legitimate".

Message 160 of 196
Lorraineg57
Apprentice

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Assuming you're referring to remote management. Yes, the chk file needs to be uploaded from the unzipped file. I posted a screen shot and directions on page 6.
Message 161 of 196
MauleGuy
Star

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Thanks Lorraineg57.

 

That confirms my impression as to how I need to update firmware.

 

My inclination is to not upgrade to a beta firmware. When both Access Control and Remote Management are turned off my understanding is my router is not vulnerable to the security risk(s) that are addressed inthe beta release R7900-V1.0.4.24_10.0.45_beta.zip

 

I have had some bad experiences with beta releases and since my router is working fine as is I am reluctant to chance a crashed router when I depend on it for working at home.

 

Model: R7900|Nighthawk X6 AC3000 Tri-Band WiFi Router
Message 162 of 196
schumaku
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

@MauleGuy

Reads like fake news in two aspects:

  • Where is the idea coming from that the Access Control has to be disabled and/or any related vulnerabilities exist in the contextof the subject and the initial post?
  • The vulnerability of the daemon serving the telnet access does still exist on the LAN side of the router - risk here is overseable for now, unless the vulnerability is used by malicious code spreading however.

Bad enough, Netgear is unable to provide traceable information on the security issues fixed in each model release notes. 

Message 163 of 196
Lorraineg57
Apprentice

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

I don't recall access control being mentioned by netgear....?
Message 164 of 196
BB-AZ
Aspirant

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

this is ridiculous and way too complicated. Netgear took the easy way out and blasted instructions that are so generic and long that they make no sense.  i went to the link and it just kept bringing me back to the same zip, then open the zip and back again.  Why can't they just send me a link for my model and current status along with a simple link to get the fix?  Instead they refer me to the manual and back to the same useless folder.

Model: R6400|AC1750 Smart WiFi Router
Message 165 of 196
MauleGuy
Star

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

My mistake to infer that Remote Access is outside security risk.  

 

I meant to poit out that both remote access and remote management are disabled on my router.  The message is my router is as isolated as I can make it with a strong password.  

 

So let me rephrase my question to keep things on track while keeping people from believing that  "false news" is being propogated.

 

If "Remote Management"  is diabled, is there a critical need to install beta Firmware if the system is functioning well?  I think I remember way back in this thread that this is the case.  

 

If disabling "Remote Management" solves the security issue; then I, personally with no extended recommendations inferred, would be more comfortable waiting for the firmware version release that has passed beyond the beta stage.

 

An answer of "yes disabling Remote Management will resolve the security risk" or a "no it is critical that the R7900-V1.0.4.24_10.0.45_beta.zip be applied to the R7900 X6 AC3000 router" would help me in my decision.

 

 

Model: R7900|Nighthawk X6 AC3000 Tri-Band WiFi Router
Message 166 of 196
schumaku
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

ERRATA

 

Reads like fake news in two aspects:

  • Where is the idea coming from that the Access Control has to be disabled and/or any related vulnerabilities exist in the contextof the subject and the initial post?
  • The vulnerability of the daemon serving the telnet  http access and UPnP do still exist on the LAN side of the router - risk here is overseable for now, unless the vulnerability is used by malicious code spreading however.

Bad enough, Netgear is unable to provide traceable information on the security issues fixed in each model release notes. 

Message 167 of 196
schumaku
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ


@MauleGuy wrote:

If disabling "Remote Management" solves the security issue; then I, personally with no extended recommendations inferred, would be more comfortable waiting for the firmware version release that has passed beyond the beta stage.


There are multiple components affected - the httpd driving the Web server for the remote access _and_ for the LAN access, plus the UPnP "Web" server providing information.

In the vulnerability publication, the partial vague (or more for business class environment workable) mitigation suggestion is:

"-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting."

 

OK, for a consumer (home) environment on a shorter term we can consider the devices on the LAN reasonably secure for a limited time.

 


@MauleGuy wrote:

An answer of "yes disabling Remote Management will resolve the security risk" or a "no it is critical that the R7900-V1.0.4.24_10.0.45_beta.zip be applied to the R7900 X6 AC3000 router" would help me in my decision.


 

As Netgear is unable to update the https://www.netgear.com/about/security/ for PSV-2020-0001, 0009, 0108, 0118, 0119 (not: their own listing!) - here the items on ZDI:

 

ZDI-CAN-9642 https://www.zerodayinitiative.com/advisories/ZDI-20-703/
ZDI-CAN-9643 https://www.zerodayinitiative.com/advisories/ZDI-20-704/
ZDI-CAN-9618 https://www.zerodayinitiative.com/advisories/ZDI-20-711/
ZDI-CAN-9703 https://www.zerodayinitiative.com/advisories/ZDI-20-712/
ZDI-CAN-9756 https://www.zerodayinitiative.com/advisories/ZDI-20-713/
ZDI-CAN-9767 https://www.zerodayinitiative.com/advisories/ZDI-20-708/
ZDI-CAN-9768 https://www.zerodayinitiative.com/advisories/ZDI-20-709/


PS. You know I still try to understand from where the idea came that the Access Control is impacted. The amount of information is hard to track.

 

 

Message 168 of 196
MauleGuy
Star

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Thanks Shumaku.

 

I went through all the ZDI notices and what I gleaned from your and their information is if my does not permit remote management and is only accessible to local LAN connections within my home and accessible only through a strong password; my router is safe....safe being a relative term for any device connected to the internet. 

 

Sound about right for a home user?

 

 

 

 

Model: R7900|Nighthawk X6 AC3000 Tri-Band WiFi Router
Message 169 of 196
schumaku
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ


@MauleGuy wrote:

Sound about right for a home user?


Yes, that's OK for me, too!

PS. Bushwacker is still alife?

Message 170 of 196
Lorraineg57
Apprentice

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Waaaaaaay back at the beginning, netgear said that if remote management was off (which it is by default), then you were fine until the hot fix for your model was released. If you choose not to install the hot fix, that probably absolves them of any liability. Up to you though.
Message 171 of 196
Portwey84
Luminary

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

Has anyone else bothered to download Bitdefender Home Scanner? I'm on the latest beta Hotfix and according to the Bitdefender Home Scanner, my router is 'at risk' and 'vulnerable'. Out of 20 devices connected to my network, only my router and a single IP camera are 'at risk'. I'm losing faith here.

Model: R7000|AC1900 Smart WIFI Router
Message 172 of 196
sprasad_it
Aspirant

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ

I did the same - dont intent to install a Beta and reconfigure 

Message 173 of 196
schumaku
Guru

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ


@Portwey84 wrote:

I'm on the latest beta Hotfix and according to the Bitdefender Home Scanner, my router is 'at risk' and 'vulnerable'.


Provide the details also available. Impossible to prvide an answer, especially for community members not having each and every hardware model at hand. Without even using a scanner, I could start writing down a list of features and code potentially reported as a risk or a vulnerability .... starting from a Telnet service, a http-only service, ftp not offering explicit encryption, to SAMBA with only SMB 1.0, ...

Message 174 of 196
Portwey84
Luminary

Re: UPDATED 6/26/20: Important Security Advisory Notification: Information on affected NETGEAR produ


@schumaku wrote:

@Portwey84 wrote:

I'm on the latest beta Hotfix and according to the Bitdefender Home Scanner, my router is 'at risk' and 'vulnerable'.


Provide the details also available. Impossible to prvide an answer, especially for community members not having each and every hardware model at hand. Without even using a scanner, I could start writing down a list of features and code potentially reported as a risk or a vulnerability .... starting from a Telnet service, a http-only service, ftp not offering explicit encryption, to SAMBA with only SMB 1.0, ...


To be honest, I've no idea even where to start. To be even more honest, I'm now past caring. I'm updated to Hotfix v.104 and it's been rock solid stable (just like the previous 3 firmware versions before that) since I updated.

 

I just found it odd that Bitdefender Homescanner reports my R7000 router as 'vulnerable' when everything else (bar my undoubtedly risky ip camera), is ok. I run everything through Expressvpn anyway and I use Bitdefender Total Security, so I'm not worried.

 

I guess I should be thankful everything just works.

Message 175 of 196
Top Contributors
Announcements