Orbi WiFi 7 RBE973
Reply

Firmware 2.3.5.30 Security Vulnerability?

stefan_eb
Tutor

Firmware 2.3.5.30 Security Vulnerability?

Hi, I just updated my Orbi RBR50/RBS50 to the new Firmware 2.3.5.30. I am also a subcriber of the Netgear Bitdefender Armor. After the update I got a notification for a potential security risk (see attached screenshot). Is this supposed to happen? Should Netgear do something about it?

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 6

Accepted Solutions
FURRYe38
Guru

Re: Firmware 2.3.5.30 Security Vulnerability?

Message 2 of 6

All Replies
FURRYe38
Guru

Re: Firmware 2.3.5.30 Security Vulnerability?

Please post in the Armor forum about this:

https://community.netgear.com/t5/NETGEAR-Armor/bd-p/en-home-armor

 

 

Message 2 of 6
CrimpOn
Guru

Re: Firmware 2.3.5.30 Security Vulnerability?


@stefan_eb wrote:

Should Netgear do something about it?


Ha!  This is SO COOL.  Netgear is ratted out by their own partner.  Using http for the "inside the LAN" router access is a feature of many routers, not just Netgear.  I have never seen an explanation for why they do this, but my own (personal) belief is:

 

  1. People are supposed to use complex passwords on the administrative account.
  2. If someone has physical access to a wired port on the Orbi, then they are "inside the safe" and already can do anything they want.
  3. If someone wants to hack using WiFi, they have to breach the (supposedly) complex WiFi password.
  4. If the owner is paranoid, he can use Access Control to keep anyone from attaching a new device.

The goofy part is that when "Remote Access" is turned on, that interface is https.  So, they already support a secure web interface.  They just don't use it for internal access.

 

This is well documented issue that Netgear (and other router makers) seem to think is not a high priority.

Message 3 of 6
FURRYe38
Guru

Re: Firmware 2.3.5.30 Security Vulnerability?

I would agree that the LAN side UI may need HTTPS at some point, however not alot of hacking goes on on the LAN side. Though not everyone seems to be proactive in some counter measures, Mfrs may be just waiting for a real need for HTTPS on the routers UI. May involve more than just changing protocols as well. Most routers and APs and such don't use HTTPS for LAN side access. Been like since since the start. Some printers now do though. 

Message 4 of 6
stefan_eb
Tutor

Re: Firmware 2.3.5.30 Security Vulnerability?

Quick update. Netgear Engineering is aware of this issue and will offer a solution in a firmware update.

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 5 of 6
FURRYe38
Guru

Re: Firmware 2.3.5.30 Security Vulnerability?

Thank you for letting us know. 

Smiley Wink

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 4413 views
  • 5 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7