× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I am not sure where to publish it. Perhaps hackernews? I was a little confused by some of the responses - but yours has inspired me.
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 26 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

https://community.netgear.com/t5/Orbi/Orbi-NETGEAR-Guest-wont-turn-off/m-p/1659396#M44609

 

I would contact a Forum moderator to let them know if they don't already.

@Blanca_O


@ja6a wrote:
I am not sure where to publish it. Perhaps hackernews? I was a little confused by some of the responses - but yours has inspired me.

 

Message 27 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I posted it on bugcrowd.
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 28 of 44
MaximusPrime
Aspirant

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

In my opinion, this may be a good start.

 

https://www.us-cert.gov/

(There's a report button on the right side). 

 

Following the link, I see that it goes to the CMU Vulnerability Reporting page here, so in theory you could also just start here : https://www.kb.cert.org/vuls/report/

 

I'll check with some security folks that I work with in case they have other suggestions for items like this.

Message 29 of 44
randomousity
Luminary

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I ust checked and had the same issue, the guest network being enabled with no password, despite the settings showing the guest network was disabled. Since I've never enabled it, there isn't a password set, so that wasn't an issue, but it shouldn't spontaneously enable itself.

 

And, before anyone asks, I've manually loaded the 2.2.1.210 firmware before, following other issues, and I iddn't use the guest network with previous firmware versions, either.

 

I don't live in a very dense area, so it's not terrible, as far as neighbors getting on my network, but still a security issue that should be addressed, especially since the Orbi doesn't fully segment the guest network from the regular private network anyway.

Message 30 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Someone at bugcrowd got back to me. Please can someone help me answer the question: What are the steps to reproduce this bug?
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 31 of 44
User00
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

The bug seems to be with the satellite not being able to fully get the config changes from the base. Lots of different ways to reproduce and it's worse if the Orbi is in AP mode and something else on the network is acting as the DHCP server. 

 

If you perform a firmware upgrade, then the satellite will revert to default settings and start Broadcasting the guest network.  It won't get the settings from the base until you perform a physical reset and then initiate a sync.

If you make a change on the base unit, the satellite does not get the changes (even if it shows as registered on the base unit) - so now you have the base broadcasting the new settings and the satellite broadcasting the old ones.  Once again, you have to hard reset the satellite and re-connect/sync it to the base for the settings to propogate.

If you are in Router mode - then you might not get an IP address from the base, but you could technically still connect via the satellite and assign yourself a static IP.

 

Some folks are reporting that a reboot fixes it - but that never worked for me.  I always had to do the hard reset (which sometimes won't work unless you hold the button for 90 full seconds).

 

 

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 32 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Thank you very much. I have used your text in the report verbatim.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 33 of 44
Pokemaniaccc
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I still have this issue. It happens once a week or so. Then I have to power off the satellite and then power on again. Then the guest network disappears. Has Netgear done anything on this issue? And has also anyone a longterm solution for this porblem?

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 34 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Hi

I got to the bottom of the cause of this bug and reported it to Netgear. They accepted it and fixed it in the latest firmware - 2.3.1.60

The problem was the Amazon Alexa connection. Do you use Alexa to turn the guest wifi on or off?
Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 35 of 44
Pokemaniaccc
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Hi

 

Thx for the fast reply. I will check my firmware, if it's the latest one today evening. 

 

We have an Amazon Alexa, but we use it only for Spotify Streaming. We don't use it for switching on the guest wifi. We actually never use guest wifi. So I was a bit surprised, when I saw it first time switched on without a password protection. Now I check it everyday if it is switched on but that's a bit painful.

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 36 of 44
User00
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I think it's worth mentioning that while the recent firmware specifically mentions the Alexa fix, it only provides a generic description about security fixes that may or may not resolve the original issue I described in this thread.
(I have no Alexa products).

I have since returned my Orbi, but maybe someone else can confirm if all related issues have been resolved.
Message 37 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

It fixed the problem for me.
Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 38 of 44
DanielJUK
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I don't have any Alexa products either and had this happen to me near the start of the thread.

 

Since V2.3.1.60 I have not had it happen again. Before if I reset the Orbi's or turned the power off, randomly it would do the open guest network issue and if I reset the router again it went away. This weekend there was a powercut and the router and satilletes went on and off several times and it did not occur again but I always check it is not broadcasting if they ever reset now. So I think this looks like it is fixed, fingers crossed Smiley Happy

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 39 of 44
DanielJUK
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I don't have Alexa and reported about my experiences with this bug near the start of this thread.

 

Since v2.3.1.60, I've not had it happen again. I noticed it the most when the router or satellite reset or the power went off, randomly one of the power cycles could produce the open guest network. I always checked if it was broadcasting on every reset! When I reset both again it fortunately went away for me.

 

This weekend there was a power issue in my area and the Orbi's went off several times and came back and it didn't occur so I am hoping it has fixed it! fingers crossed Smiley Happy

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 40 of 44
Pokemaniaccc
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I also updated mine to v2.3.1.60. Since then, I am not having this issue anymore. Let's hope it's 100% fixed. Thx anyway guys for your help and replies.

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 41 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Thanks for letting us know.

 

Yes, users should update to v60 if they are having problems with there Orbi systems. Please update the RBS first then the RBR lastly. Factory reset and setup from scratch after loading the FW. Do not re-load a saved backup config from file. Setup from scratch, then save off a new back up config to file.

 

Enjoy. Smiley Wink

Message 42 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I think that resetting is a bit overkill. I’d suggest performing the update - the app handles this fine - and seeing how you get on. Only if it is still not fixed you can try a reset.
Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 43 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

That too. "Yes, users should update to v60 if they are having problems with there Orbi systems."

Message 44 of 44
Top Contributors
Discussion stats
  • 43 replies
  • 13598 views
  • 25 kudos
  • 14 in conversation
Announcements

Orbi WiFi 7