New vulnerability discovered affecting Netgear routers

You might like to follow this:

Two leading Netgear routers are vulnerable to a se... - NETGEAR Communities

Thanks!

Netgear was told about this vulnerability 4 MONTHS AGO and you are only acknowledging it now after the guy who found it went public.   This doesn't sound like you are working very hard to fix this security hole.  Are you expecting all your customers to stop using Netgear products or are you just not too worried about the botnet army you may be creating?

http://www.tomshardware.com/news/netgear-critical-security-vulnerability-router,33173.html

Just curious.  Unfortunately (for me) I just picked up an R7000 router after my N600 gave up the ghost.  I was very happy with it until reading this news...

Drewbot

As our investigation continues we will have further updates to our security advisory. Thank you for your patience.

The Security Advisory has been updated with more information and beta firmware for some affected models.

how about the R6300 wifi router? Is it or is it not vulnerable???

Read Netgear's list of affected devices (See links in previous message.)

Or run the vulnerability tests yourself.

See this and the answer:

Is R6900 router affected by new (12/12) vulnerabil... - NETGEAR Communities

I am using an R6400 I got during a beta test a while ago. Can I update it with this firmware and other production firmware versions in general?

---

@parac wrote:

I am using an R6400 I got during a beta test a while ago. Can I update it with this firmware and other production firmware versions in general?

---

Yes, I'm running the latest beta firmware for the R7000 on my beta R7000 unit. So you should be able to run the latest beta firmware for the R6400 on your beta R6400 unit.

Note though that beta test units may not work with 3rd party firmware as 3rd party firmware is typically not tested on beta test units. So I would stick with NETGEAR firmware on beta test units.

Hi I'm using a Netgear Nighthawk X4S (R7800) with the LATEST V1.0.2.12 firmware, and have been reading about this serious security vulnerability.  When I execute the command:

http://[router-address]/cgi-bin/;uname$IFS-a

or

http://[router-address]/cgi-bin/;ls

or 

http://[router-address]/cgi-bin/;killall$IFS’httpd’

with my router's IP address properly inserted, the router ALWAYS returns a single "0" character (without the quotes).  It is therefore NOT responding to the Linux/UNIX command injection via the web browser URL.  Is my router vulnerable?  Again, I am using the R7800 with the latest V1.0.2.12 firmware, and it is returning a "0" to ALL the above commands in the browser, instead of executing the command.  Some information on the Internet indicates that the R7800 IS vulnerable, but Netgear doesn't indicate it is.  However, my opinion is NO, because it gives me a "0" response to all my command injection attempts.

@Network_Guy_2

R7800 is not included in the list.

Security Advisory for VU 582384

ElaineM: I read that security advisory already.  It is a little vague, which is why I asked my question.  Please note the text:

"NETGEAR has tested the following products and confirmed that they are vulnerable"

My product is NOT in the list, but that COULD mean that NETGEAR hasn't tested it and/or confirmed its vulnerablity for this security flaw.  What it sounds like you are saying is that:

Netgear HAS tested and CONFIRMED that the Netgear R7800 router with the current firmware I am using is NOT vulnerable.  Is that correct?  I don't want any ambiguity here.

A list of "not vulnerable" hardware has problems. It could swamp the roster of at-risk devices. It could prove a hostage to fortune if someone later discovered an issue. Oh, and then there's the problem that compiling a list takes time that is best given over to fixing broken devices.

It is pretty easy to test a device for this vulnerability. It was a fellow user who uncovered, and posted here, the vulnerability of the D6400 before Netgear acknowledged it.

You have already done this yourself. Don't you trust your own tests?

Another way to deal with your request, and to reassure those who don't have the skills needed to run that test, would be to "crowd source" this list and to create a discussion here that brings together the results.

Would that work for you?

---

@Network_Guy_2 wrote:

I don't want any ambiguity here.

---

We will make further updates to our Security Advisory as our investigation continues to progress.

I don't really understand the problem here - as Netgear tests each device, it can indicate that it is vulnerable or not vulnerable to this specific exploit on firmware version X (or X, Y, Z, ...).  It has to test these devices anyway or it's seriously neglecting its duty to users.

If the devices that are not vulnerable would swamp the list of devices that are vulnerable, then create two lists - users can check the vulnerable list and then, if their device is not found there, check the not vulnerable to this exploit on current firmware.  if they aren't running current firmware, they know what version to update to (and linked instructions would be useful).  and if the device is not on the 'not vulnerable' list, then it would be obvious that it hasn't been tested yet.

i agree with the proposition that users should be able to come and find out:

a) their device is vulnerable

b) their device is NOT vulnerable (on current firmware version x)

c) their device has not been tested yet

-drewbot

oh - and devices that get updated firmware to close the vulnerability can get moved to the 'not vulnerable on firmware X' list!

netgear - thanks for pushing the firmware update for the R7000 into production status already! i've updated so hope that I'm now in the clear with my AC1900...

Thanks for the suggestions but I think the amount of information provided already is sufficient.

We recommend running the latest firmware to get the latest new features, bug fixes, security fixes and other enhancements.

Our testing to see which devices were affected was done against the latest firmware at the time of testing.