× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: Unrestricted access to router admin UI

brianld
Apprentice

Unrestricted access to router admin UI

This is an odd one that I can't seem to pinpoint:

 

1. Reset entire system to factory defaults.

2. Set up the system again.

3. Establish admin password, as required.

4. Login to Router Admin page (192.168.1.1) using password set initially in step 3.

5. Click logout in upper-right corner.

6. Open ANY browser on my local network (connected to my "main" wifi SSID).

7. Navigate to Router Admin page (192.168.1.1).

8. Voila, automatically logged in with unrestricted admin rights, no password asked for.

 

I have tried from multiple computers (with diff IPs obviously), multiple browsers on same computer, incognito mode browser on multiple computers, browser inside my Win11 VM, etc.  All seamlessly able to administer the router without the password.

 

I have the IoT network and Guest networks enabled.  Can replicate this unrestricted access on the IoT network.  Cannot access 192.168.1.1 at all from Guest network, so one could argue this isn't a huge security issue.  Thought maybe it was because I had the Guest network enabled ("trust anyone on my own private network"), but that doesn't appear to be the case as I disabled the Guest network and the issue is still present.

 

Apparently I got a "special" Orbi 970 if no one else is seeing this same behavior!  Scratching my head.

Message 1 of 12
FURRYe38
Guru

Re: Unrestricted access to router admin UI

How soon are you logging out then back In to the RBRs web page? 

Does your browser save the log in info and password as well? 

Message 2 of 12
brianld
Apprentice

Re: Unrestricted access to router admin UI

I've gone over an hour between login attempts and am still able to login.  Have logged in from my primary machine, logged out, went and started up my son's computer, went to 192.168.1.1 and was in without even being prompted for credentials.

Message 3 of 12
FURRYe38
Guru

Re: Unrestricted access to router admin UI

Something you might submit a support ticket about. Something I've not seen with my system. 

@Straq 

Message 4 of 12
BH-C
NETGEAR Expert

Re: Unrestricted access to router admin UI

Thank you for reporting this issue to us and bringing it to my attention. I will ask our engineering team to look into it.

Message 5 of 12
Dfran1
Apprentice

Re: Unrestricted access to router admin UI

WOW  ,  I have been in and out of my 970 system many times with my mac mini, chrome book, and iPhone safari ....

Always a pop up to type user and password.

 

With that other white light problem , I would have to say you have defective equipment , BUT that is just my opinion 

Message 6 of 12
brianld
Apprentice

Re: Unrestricted access to router admin UI

@Dfran1 yeah, it’s the weirdest thing. And quite concerning. Also surprised that no one else has seen the same behavior. 

Message 7 of 12
FURRYe38
Guru

Re: Unrestricted access to router admin UI

Just because one user sees a problem doesn't mean others should see same thing. Possible this users unit is just faulty or in a bad state. I've not seen this ever since day one on mine. I get the log in windows each and every time I go to the routers web page. 

Message 8 of 12
brianld
Apprentice

Re: Unrestricted access to router admin UI

@Straq  @FURRYe38  An update on this issue:

 

I started from scratch today.  Completely reset router and satellites.  Went through the entire setup of my Orbi using the iOS app.

 

The issue of being able to get into router admin pages from any device on network is no longer occurring.  Phew!

 

I did find a different potential security issue however.  I would be curious if someone else could try to replicate it ...

 

It appears that the router will allow any browsers from a single device to access the admin portal if a user has logged in via that IP, and has not logged out.

 

How to reproduce:

 

1.  Clear cookies on all browsers.

2.  Using the browser of your choice (I used Chrome), login to your router's admin pages.

3.  Do not click "Logout" in upper right.  Just close/exit the browser.

4. Using any other browser (Safari in my case) from the same computer, open your router admin page.

5. You should be in without being prompted for a password.

 

I've tested this with multiple browsers, as well as within a VM on my Mac that shares the Mac's IP.  Once a user has logged in from an IP, and has not logged out, anyone can administer the router.  

 

This isn't an issue for me in particular, as no one else uses my laptop, and I can just be sure to logout.  However, imagine a scenario where a household used a shared computer.  If the admin portal had been logged into from that computer, and the session was not logged out, any other user of that computer would be able to access it, so long as the IP doesn't change.

 

 

Message 9 of 12
FURRYe38
Guru

Re: Unrestricted access to router admin UI

I can produce this on my Win 10 PC with MS Edge and Chrome but can't produce this on Win 11 PC with MS Edge or FireFox, they give me the log in each time. Cleared browser caches on both as well. 

 

 

Message 10 of 12
brianld
Apprentice

Re: Unrestricted access to router admin UI

Glad you were able to reproduce it. Strange that it didn’t on Win11. 

Message 11 of 12
FURRYe38
Guru

Re: Unrestricted access to router admin UI

Will let NG take the ball now. 

Message 12 of 12
Top Contributors
Discussion stats
  • 11 replies
  • 1163 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi 770 Series