×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

ploo
Guide

Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Has anyone else experienced this? I upgraded by Orbi to 2.2.1.210 - everything seemed fine. I have a guest network (with a password) that I leave disabled and only enable when we have a guest. It is also set to not allow access to my LAN.

 

A few days after upgrading I noticed that my guest network was active with NO PASSWORD and it could access my LAN. I logged into the Orbi console and it was still set to disabled, but it was broadcasting and I could connect to it with no password. The only way to turn it back off was to turn the guest network on and off again.

 

This is a serious security flaw! I now have major concerns about the security of this device which I've had no problems with for over a year.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 1 of 44
ploo
Guide

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

btw - the guest network had a password set.

Message 2 of 44
DanielJUK
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I just noticed this today. I have never set up the Guest network to use or turned it on yet! I suddenly realised there was a lot of devices connected that I could not work out who they were in the household or the device! Then realised on my laptop that NETGEAR-Guest was broadcasting totally open! argh!

 

I logged into Orbi and enabled guest network and added a password to secure it, I then turned it off! It was now secured but still broadcasting. I then reset the Orbi and it's vanished! phew! Iam not sure if it will turn itself on again but I recommend setting a password for it, turn it on and then off. The whole time the Orbi status said that the Guest Network was not enabled apart from when I turned it on to secure it. So it was broadcasting and turned on all by itself!

 

I have upgraded to 2.2.1.210 about a week ago

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 3 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Try FW re-load and full factory reset and setup from scratch:

https://community.netgear.com/t5/Orbi/Firmware-2-2-1-210-released-as-of-10-3-18/m-p/1647303/highligh...

 

Does it still occur after this?

 

 

 

Message 4 of 44
ploo
Guide

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I have already fixed it as I described - namely, by turning the guest network on and back off again.

 

I was however, highlighting the issue that this may happen when the firmeware is updated and it shouldn't happen. It was pure chance that I noticed this and my network had been completely open for several days as a result.

Message 5 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Would need to try a factory reset and setup from scratch to see if this is something that changed in the new FW. Something NG will need to know.

 

@Christian_R


@ploo wrote:

I have already fixed it as I described - namely, by turning the guest network on and back off again.

 

I was however, highlighting the issue that this may happen when the firmeware is updated and it shouldn't happen. It was pure chance that I noticed this and my network had been completely open for several days as a result.


 

Message 6 of 44
toe
Apprentice
Apprentice

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Stop asking customers to do factory reset and other time wasting procedures that is not part of the instruction from Netgear themselves and hoping that it fixes something. Netgear should be the one doing the testing with new firmware releases to ensure integrity of previous configurations during upgrade. I think you might think that is helpful, but plenty of customers have wasted some many hours of their time doing unnecessary resets. 

 


@FURRYe38 wrote:

Would need to try a factory reset and setup from scratch to see if this is something that changed in the new FW. Something NG will need to know.

 

Message 7 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Sorry, this is a valid proceedure to do as others have said it's worked for them:

https://community.netgear.com/t5/Orbi/Firmware-2-2-1-210-released-as-of-10-3-18/m-p/1647303/highligh...
https://community.netgear.com/t5/Orbi/RBK40-Download-Speed-Slows-Down-After-5-Days/m-p/1643475/highl...
https://community.netgear.com/t5/Orbi/Orbi-MR-2-1-Update-3-23-18/m-p/1548414/highlight/true#M27868
https://community.netgear.com/t5/Orbi/speed-slows-down-Orbi/m-p/1551822/highlight/true#M28289
https://community.netgear.com/t5/Orbi/Is-2-1-3-4-in-auto-update/m-p/1553979/highlight/true#M28616
https://community.netgear.com/t5/Orbi/Orbi-Satellite-RBS50-Not-Connecting-via-Ethernet/m-p/1556692/h...

 

I'll keep posted as I see fix. Thank you. 


@toe wrote:

Stop asking customers to do factory reset and other time wasting procedures that is not part of the instruction from Netgear themselves and hoping that it fixes something. Netgear should be the one doing the testing with new firmware releases to ensure integrity of previous configurations during upgrade. I think you might think that is helpful, but plenty of customers have wasted some many hours of their time doing unnecessary resets. 

 


@FURRYe38 wrote:

Would need to try a factory reset and setup from scratch to see if this is something that changed in the new FW. Something NG will need to know.

 


 

Message 8 of 44
ploo
Guide

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

The fix mechanism is not the issue here. Any firmware update should not change the settings on the router such that it is then in an insecure state; in this case - a secure router with a password set on the guest network and the guest network turned off, was following the update, left with the guest network ON and not requiring a password.

 

The firmware update was succesful, there was no indication that there were any issues. This shouldn't and must not happen when a firmware update is applied to a device.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 9 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

This will have to be looked into by NG then. Nothing else we can do here in the forums and your work around seems to work for now. 

@Christian_R

@ChristineT

@AmitR

Message 10 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I discovered this too. Also have the latest firmware. V2.2.1.210. I am upset by the idea of strangers logging on to my network and rummaging through my private data. I am really disappointed and my confidence in the Netgear brand has been severely shaken. How can such a critical bug been allowed out in the wild? Wow! Treating their customers badly. The least this company can do is own up to it...

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 11 of 44
offset
Aspirant

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I use a spectrum analyzer every now and then to see if my wifi has any interference with neighbors, etc.

 

Noticed for a couple days that a very strong signal called 'NETGEAR-Guest' had the same signal strength as me and I thought it was a neighbor.

 

After walking around trying to find the signal I determine that it had to be in my house.

 

I thought something was weird, so I went to the mobile app and it showed as disabled.  In the mobile app, I enabled guest, hit save, then went and disabled guest and save and the guest ap then disappeared.

 

I wonder how many people out there have a guest signal open and don't even realize it, this seems very bad and I have no idea how this got enabled. 

Message 12 of 44
jblack68
Apprentice

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Ahhh same issue here and i didn't know about it until now, i had reloaded the firmware by scratch as well, massive security issue

Message 13 of 44
ja6a
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I would like to publish this as a security incident. Not sure about that process... It would be good to get the wider community involved.
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 14 of 44
User00
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

I had a similar issue and it turned out the satellite was connecting via the backhaul and needed a firmware reset along with a forced sync to the base.  Certainly wasn't expecting that, but can imagine it's probably happening to a lot more folks who just expect to plug this up and not check all the settings.

 

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 15 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

So a factory reset fixed what you were seeing? 


@User00 wrote:

I had a similar issue and it turned out the satellite was connecting via the backhaul and needed a firmware reset along with a forced sync to the base.  Certainly wasn't expecting that, but can imagine it's probably happening to a lot more folks who just expect to plug this up and not check all the settings.

 


 

Message 16 of 44
st_shaw
Master

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)


@ja6a wrote:
I would like to publish this as a security incident. Not sure about that process... It would be good to get the wider community involved.

My system had this issue once.  Turns out the errant guest network was coming from one of the satellites.  A power-cycle resolved the issue.  It's a bug for sure, but it was not much of a security issue, because connecting to the guest SSID provided no IP address to the computer and no network access.

 

Message 17 of 44
User00
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

What is strange is that the only thing that did sync after the satellite rebooted and came back online was the router password, unfortunately nothing else sync'd.

 

I can certainly confirm that if you have it setup and operational - then decide to change the wireless settings - the satellite will not automatically get those settings and will continue to broadcast the original wireless networks and passwords.  What's also frustrating is that you can't remotely reboot the satellite.  However, you can upload the firmware again and that will trigger the reboot.  I never got the Sync buttons to work unless the satellite was in factory default mode and right next to each other (even though the satellite shows up as connected via backhaul on the router's attached devices).

 

 

So for me - if I make a WiFi settings change (pw or SSID) - then it won't sync unless i reset the satellite to factory defaults - but the router password will.  In your case, maybe the satellite received an initial configuration with an open guest password before a password was set.  That would explain having the open network - which I recall having when I first set this up - but just chalked it up to initial setup issues and then did a factory reset after all the settings were completed in the base.

 

 

 

 

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 18 of 44
User00
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)


@st_shaw wrote:

It's a bug for sure, but it was not much of a security issue, because connecting to the guest SSID provided no IP address to the computer and no network access.

 


Well, if the satellite is connected via ethernet backhaul to the base - then it will allow those devices to connect and be handed off to the base for connectivity into the network.  If you look at the connected devices on the base - all of those devices from the satellite appear as wired (via the backhaul).

 

Message 19 of 44
st_shaw
Master

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)


@User00 wrote:

@st_shaw wrote:

It's a bug for sure, but it was not much of a security issue, because connecting to the guest SSID provided no IP address to the computer and no network access.

 


Well, if the satellite is connected via ethernet backhaul to the base - then it will allow those devices to connect and be handed off to the base for connectivity into the network.  If you look at the connected devices on the base - all of those devices from the satellite appear as wired (via the backhaul).

 


No. As I wrote, my computer did not receive an IP address from the rogue guest WiFi.  With no IP address my computer had no connectivity to the satellite (and thus no connectivity to any part of the network.)

Message 20 of 44
User00
Star

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Then maybe our configs are different.
Are you in router or AP mode?
I'm in AP mode and not using orbi for dhcp. Remember, just because you didn't get an IP doesn't mean you didn't authenticate and were connected to the network. You could still statically assign yourself an IP and access the LAN.
Message 21 of 44
benstat
Tutor

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Hi all,
Just wanted to add that I ran into this today too. I'd been adding a new Netgear modem/router (DM200), and configuring my Orbi wi-fi settings etc (although not for the guest network), when I noticed an unsecured ORBI-Guest network. I was shocked to discover that it was my Orbi, even though I had made no changes to the guest network settings whatsoever, and the checkbox was unchecked in the admin page! Enabling it then disabling it, and rebooting the Orbi (via the admin page) made no difference.

In the end I had to power off my satellite (RBS50), after which the guest network disappeared.
This is a major security flaw, and should be addressed as a matter of urgency by Netgear.

 

Edit: May be relevant that I'm in AP mode.

Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only), RBS50| Orbi AC3000 Tri-band WiFi (Satellite Only)
Message 22 of 44
FURRYe38
Guru

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Message 23 of 44
Ajrocklin
Aspirant

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

This just happened to me tonight. I came home and was working on a CradlePoint and I noticed the Netgear-Guest network in my list. I click and attach to it and get an IP address. I'm then able to surf the internet. I pull up my port scanner and scan the subnet but I don't find anybody else. I wanted to know who had a wide open network so I did a reverse lookup and what do you know, it was my f-in IP address, blew me away! I went and checked the settings and sure enough it showed disabled while in fact it was enabled. I changed the guest network name and rebooted and it looks OK now, but this is a major security issue. I am running version 2.2.1.210 and have 1 satellite (likely not for much longer).
Message 24 of 44
MaximusPrime
Aspirant

Re: Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)

Did you manage to get it published? This is indeed a pretty nasty security hole in the firmware and given that it's still the active firmware in use at this time, broader communication about it world definitely be a good idea.

Message 25 of 44
Top Contributors
Discussion stats
  • 43 replies
  • 13163 views
  • 25 kudos
  • 14 in conversation
Announcements

Orbi WiFi 7