Re: Avast Vulnerability Catalogue ID CVE-2017-14491 for the Nighthawk R7000 ac1900 dualband wifi rou

Hi Megarock,

You can report it via proper channel.

https://www.netgear.com/about/security/default.aspx

@JamesGL ... if Netgear would have a security officer in charge monitoring the vulberability report resources and update all the Open SOurce in time on all products still maintained we would not have to file anything. This issue in dnsmasq was fixed half a year ago ... but never made it to any Netgear device. Make this sleeping business unit run now!

          Netgear needs to fix it ,, thanks , i hope they see this

Hi schumaku,

NETGEAR is working on any reported vulnerability issue. 

Hi Megarock,

Please submit it here.

https://www.netgear.com/about/security/default.aspx

             Sorry, i went to the link on that site you gave me and i could not figure out how and what to do with it.

---

@JamesGLwrote:

NETGEAR is working on any reported vulnerability issue. 

 

---

We expect Netgear does update Open Source packets on these product on a regaular base, and not wait unil vulnerability reports are in the public (dnsmasq was updated almost half a year ago to address this vulnerability!!!), or 3rd party applications complain about features soon no longer supported (see all the OpenVPN warnings, current OpenSSL and updating the certificates would have saved virtually hundreds pf posts). Proactively handling - not sleeping. It's simply ignorant and leave a very bad impression on the Netgear brand.

Hi Megarock,

You can click on submit report on the link below.

https://bugcrowd.com/netgear

---

@JamesGLwrote:

You can click on submit report on the link below. 

Can't be Netgear customers having to file well known and published vulnerabilities every reasonable commercial, (even free!) vulnerability test tools does complain (some for a longer time). Something is badly wrong in the way these products firmware is audited, regularly reviewed, and security updated. 

---

@JamesGL wrote:

 

Hi Megarock,

 

You can click on submit report on the link below.

 

https://bugcrowd.com/netgear

---

@JamesGL I have a D6400 router and have the same vulnerabity message (CVE-2017-14491) from Avast. When I go to the link you directed my model doesn't even come up. I bought it less than 2 years ago and the warranty runs out later this year. Where do I go to find out how or if netgear have addressed this vulnerabity for my router?

NETGEAR should get off this habit of using antique versions of their important toolchains and upgrade them to modern versions. dnsmasq version on NETGEAR routers is 2.39, which was released in 2007, which is 11 YEARS AGO, and widely known to have various (security) issues. wide-dhcpv6 is NO LONGER DEVELOPED FOR YEARS and is not up to current IPv6, sometimes not working at all with some configurations - I am living proof of that as I have Linux systems that don't work well with its dhcp6s server

But since this is NETGEAR and it does what it wants, and it took it YEARS to finally stop blocking ICMPv6 packets and this only on certain router models/firmware, I have very little hopes that any change will come. They're thick-headed-think-they-know-better while the competition is miles ahead (looks at ASUS)

A real, real SHAME. Because I happen to like NETGEAR hardware

Hi,

Also having the DNS issue - port 53 - CVE-2017-14491 Vulnerablity. I did the nslookup and found my dnsmasq at 2.75. Avast says I'm in danger. 

Thanks

---

@Squair wrote:

Hi,

Also having the DNS issue - port 53 - CVE-2017-14491 Vulnerablity. I did the nslookup and found my dnsmasq at 2.75. Avast says I'm in danger. 

---

R6900P?
Firmware version?

If there is a 2.75 in place it's not updated, and Avast is right ...

dnsmasq starting from 2.78 is not vulnerable to CVE-2017-14491. Only CVE-2017-15107 (plus some other security enhancements) apply and  are fixed in 2.79 FMI: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

 @ChristineT please - all firmware require an update to dnsmasq 2.79 (or newer) - the current 2.78 is no longer sufficient. And the default config should remove the non-documented and unsupported config option to query all DNS, too. Why does that all take that long?

Mine is 2.62 how do i upgrade?

My FW is v1.3.1.26_10.1.3 (no update available)

App= NIGHTHAWK 2.1.3.325

Why the Avast error? We are hearing the FBI tell us to reset our routers! 

Have a good day. Thanks.

---

@Squair wrote:

My FW is v1.3.1.26_10.1.3 (no update available) Why the Avast error?  

 

---

Because Avast does report a potential vulnerability/vulnerabilities which exist in the dnsmasq code on this old firmware. Because of Netgear was (and is to some extent) still lazy updating components in time and taking much more time to release firmware for all Netgear models.

@Squair wrote:

 

We are hearing the FBI tell us to reset our routers!  

Well, here we have even less information from Netgear. The information from Netgear available is very vague. Can't tell you more but that other vendors which were notified have updated their code in time early June 2017 already (and have supplied removal processes for effectively affected devices). 

No idea on how long this will take for your router model.

@PaddyO wrote:

Mine is 2.62 how do i upgrade?

R8000 - there is a firmware update available for a few days R8000 Firmware Version 1.0.4.18 - check the R8000 Support Downloads for later updates.

Thanks for the R8000 update news, but I'm R6900P (Costco). I hope that Netgear will update the firmware to resolve the AVAST Vulnerability Catalogue ID CVE-2017-1449. I'm waiting for the next update.

Hi Squair, 

Please check the link below to report vulnerabilities for your R6900P router.

https://www.netgear.com/about/security/default.aspx

Regards,

Blanca 
Community Team

---

@Blanca_O wrote:

 

Please check the link below to report vulnerabilities for your R6900P router.

---

This should not be required - keeping all Open Source current resp. update in time when vulnerabilities are discovered (such as on dnsmasq here more than a half year ago!) so consumer grade vulnerbility tests would never trigger any of these. All routers making use of dnsmasq must be upgrded to dnsmasq 2.79 (or newer). Netgear must become much more pro-active in monitoring the vulnerability repositories and take actions in time. It's a Netgear job, not a customer task! 

Well until they fix it. I had to move to a Linksys 32x ac3200 gaming router. Sad its not fixed yet , i dont have the problem with this linksys router. Soon as they fix it i will go back to my netgear router i just like my netgear.

I have Avast telling me the same issue. 

Router has firmware vs V1.0.9.28_10.2.32

dnsmasq-2.14-OpenDNS-1

Has this been fixed yet?

Hi RAJackson097, 

Thank you bringing this up. Please check the link below to report vulnerabilities. https://www.netgear.com/about/security/default.aspx

Regards, 
Blanca 
Community Team

I did the version check after updating to firmware version V1.0.9.32_10.2.34. 

Here is the check:

C:\Users\Robert>nslookup -type=txt -class=chaos version.bind 10.10.10.1
Server: UnKnown
Address: 10.10.10.1

version.bind text =

"dnsmasq-2.15-OpenDNS-1"

C:\Users\Robert>

Avast still calls this out as vulnerable to CVE-2017-14491.

---

@Case850 wrote:

Sounds reasonable because as per message 4, anything prior to V 2.78 has been indentified with vulnerabilities.

---

Question is when is Netgear going to fix it? They have known about this issue for some time.

---

@RAJackson097 wrote:

---

@Case850 wrote:

Sounds reasonable because as per message 4, anything prior to V 2.78 has been indentified with vulnerabilities.

---

Question is when is Netgear going to fix it? They have known about this issue for some time.

---

Netgear does not systematically monitor and update Open Source code on products under maintenance. And of course it's not about the Netgear customers reporting common known vulnerabilities to their security site (waste of time for everyone). Even worse, some community managers try to convince customers that the vulnerability does not apply or can't be (ab-)used.