This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
New vulnerability discovered affecting Netgear routers
I have an N900 WNDR4500v2 Router running the most current version of firmware. Is it vulnerable to the cracks announced last week (approx. Dec. 8-9)? Thanks, NPC
Re: New vulnerability discovered affecting Netgear routers
Netgear was told about this vulnerability 4 MONTHS AGO and you are only acknowledging it now after the guy who found it went public. This doesn't sound like you are working very hard to fix this security hole. Are you expecting all your customers to stop using Netgear products or are you just not too worried about the botnet army you may be creating?
Just curious. Unfortunately (for me) I just picked up an R7000 router after my N600 gave up the ghost. I was very happy with it until reading this news...
I am using an R6400 I got during a beta test a while ago. Can I update it with this firmware and other production firmware versions in general?
Yes, I'm running the latest beta firmware for the R7000 on my beta R7000 unit. So you should be able to run the latest beta firmware for the R6400 on your beta R6400 unit.
Note though that beta test units may not work with 3rd party firmware as 3rd party firmware is typically not tested on beta test units. So I would stick with NETGEAR firmware on beta test units.
Re: New vulnerability discovered affecting Netgear routers
Hi I'm using a Netgear Nighthawk X4S (R7800) with the LATEST V1.0.2.12 firmware, and have been reading about this serious security vulnerability. When I execute the command:
with my router's IP address properly inserted, the router ALWAYS returns a single "0" character (without the quotes). It is therefore NOT responding to the Linux/UNIX command injection via the web browser URL. Is my router vulnerable? Again, I am using the R7800 with the latest V1.0.2.12 firmware, and it is returning a "0" to ALL the above commands in the browser, instead of executing the command. Some information on the Internet indicates that the R7800 IS vulnerable, but Netgear doesn't indicate it is. However, my opinion is NO, because it gives me a "0" response to all my command injection attempts.
Re: New vulnerability discovered affecting Netgear routers
ElaineM: I read that security advisory already. It is a little vague, which is why I asked my question. Please note the text:
"NETGEAR has tested the following products and confirmed that they are vulnerable"
My product is NOT in the list, but that COULD mean that NETGEAR hasn't tested it and/or confirmed its vulnerablity for this security flaw. What it sounds like you are saying is that:
Netgear HAS tested and CONFIRMED that the Netgear R7800 router with the current firmware I am using is NOT vulnerable. Is that correct? I don't want any ambiguity here.
Re: New vulnerability discovered affecting Netgear routers
A list of "not vulnerable" hardware has problems. It could swamp the roster of at-risk devices. It could prove a hostage to fortune if someone later discovered an issue. Oh, and then there's the problem that compiling a list takes time that is best given over to fixing broken devices.
It is pretty easy to test a device for this vulnerability. It was a fellow user who uncovered, and posted here, the vulnerability of the D6400 before Netgear acknowledged it.
You have already done this yourself. Don't you trust your own tests?
Another way to deal with your request, and to reassure those who don't have the skills needed to run that test, would be to "crowd source" this list and to create a discussion here that brings together the results.
Re: New vulnerability discovered affecting Netgear routers
I don't really understand the problem here - as Netgear tests each device, it can indicate that it is vulnerable or not vulnerable to this specific exploit on firmware version X (or X, Y, Z, ...). It has to test these devices anyway or it's seriously neglecting its duty to users.
If the devices that are not vulnerable would swamp the list of devices that are vulnerable, then create two lists - users can check the vulnerable list and then, if their device is not found there, check the not vulnerable to this exploit on current firmware. if they aren't running current firmware, they know what version to update to (and linked instructions would be useful). and if the device is not on the 'not vulnerable' list, then it would be obvious that it hasn't been tested yet.
i agree with the proposition that users should be able to come and find out:
a) their device is vulnerable
b) their device is NOT vulnerable (on current firmware version x)
Re: New vulnerability discovered affecting Netgear routers
oh - and devices that get updated firmware to close the vulnerability can get moved to the 'not vulnerable on firmware X' list!
netgear - thanks for pushing the firmware update for the R7000 into production status already! i've updated so hope that I'm now in the clear with my AC1900...
