NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
NETGEAR Routers and CVE-2016-582384 security vulnerability
I am a bit concerned about this recent article: http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/ https://www.kb.cert.org/vuls/id/582384 Details: Overview Net...
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
The point I was trying to make was that the comment suggesting stopping using the devices was not made by NETGEAR and only that. I wanted to clarify that as a post suggested it was.
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384
We now have beta firmware containing fixes for some affected models.
We're working hard on fixes for the other affected models and will update the security ticket above soon.
**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****
To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.
Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.
Security Advisory for VU 582384 knowledgebase article.
NETGEAR Product Security Advisory page.
I just attempted to complete the secruity fix for VU 582384. Following the instructions after downloading the zip file. I then loged into the router. However, working through the ADVANCED TAB then the ADMINISTRATION I was not able to locate FIRMWARE UPGRADE. There was NO choice for FIRMWARE UPGRADE.
Has anyone else encounted this issue and if so how did you proceed to upload the security fix?
pjsand wrote:Following the instructions after downloading the zip file.
Did you unzip the zip file?
You don't say which device you want to flash, but most of the firmware is now officially released. So you should be able to tell the modem/router to go get it without having to retrieve the file.
Sorry, I can't be more precise than that because I don't know what hardware you need to update.
Remember, not all Netgear devices are vulnerable to this security hole.
If you find the manual on the support site it will also have the instructions you need.
That's what was missing in their instructions. Once I unzipped the file I could complete the fix. Thanks for your quick response
So, after getting the (late) alert from Netgear, I immediately tried to log in to my router, but the site was blocked. After doing a hard reset at the router, I was able to get to the site, but only after bumping out "another user" who was logged in to the router. I'm thinking this was a bad actor who had access to my network. True?
To Netgear: the fact that you didn't prevent this vulnerability, compounded by your slow response, is unacceptable. This is not just a firmware hiccup. My entire network, including all of the devices that access it, and all of my passwords, may have been breached.
Dougaloo wrote:So, after getting the (late) alert from Netgear, I immediately tried to log in to my router, but the site was blocked. After doing a hard reset at the router, I was able to get to the site, but only after bumping out "another user" who was logged in to the router. I'm thinking this was a bad actor who had access to my network. True?
You aren't the first person to think that logging into your router takes you to a Netgear site. There is no "site", nor is there another user. That was you.
When you login to the router, you go to the local browser based interface for your hardware. You can do that even if you are not connected to the Internet. Indeed, you have to get in there before you have an Internet connection so that you can set up your hardware to get connected.
So, you can be pretty sure that there is no "bad actor" wreaking havoc on your network. Just you logged in twice.
For all the flap about this nasty "back door" issue, I haven't seen any reports here of anyone exploiting this feature. Netgear rushed out fixes within a week or so of the news going public.
Michael, thanks for your reply and clarification. Actually, I used the word "site" incorrectly. I know that when I try to log into my Netgear console, I'm not going to a site, but instead I am logging in through a local network browser.
Still, I was concerned when, after doing a reset at the router, when I tried to log in to the console, I got a warning that someone else was logged in. I've done resets before and never have seen this message before, so that's what concerned me. Another cause for concern was that I did have my Remote Management option checked prior to receiving the message from Netgear. I've now disabled that, as I don't really need remote access anymore.
As for Netgear rushing out fixes, c'mon, they knew since August! But I'm hoping you're right, and despite this vulnerability, that the breach wasn't exploited by hackers.
Thanks to you and the Netgear community for your helpful support.
:smileyfrustrated: I own two of these units, and didn't hear anything about this until I read about it on Kim Komando, along with the link for the update fix. (Hopefully) Security communicatoions has got to be better than this!
NotHome wrote::smileyfrustrated: I own two of these units, and didn't hear anything about this until I read about it on Kim Komando, along with the link for the update fix.
Two of what units? The subject here is wrong and some reports turned out to be false alarms.
You must have missed out on, or failed to register for, the email updates that brought many people here. It has also been all over the interwebs, as you will see from the length, and age, of this discussion.
Talking about the routers R7000. I don't subscribe to every chat board for every piece of electronics I buy but my units are registered, so I would have hoped to recieve some kind of notice from Netgear. I just heard about this being a problem.
I was unable to follow the published instructions for updating the firmware on my R6250. But I did use the Netgear Genie to update the firmware. Much simpler.
My question is: Does the Netgear Genie update to V1.0.4.6_10.1.12 contain the fixes needed?
Hell there Boyce.
The only ones that will show up with the genie are "factory releases". Those still in beta won't be there.
If you look at the advisory:
Security Advisory for VU 582384, PSV-2016-0245 | Answer | NETGEAR Support
It says that "All products followed by three asterisks (***) have production firmware fixes available."
The R6250 is one of those.
For more details, put your model into the support system:
This will throw up the support pages for your device
R6250 | Product | Support | NETGEAR
where you can click through to a page of firmware and software updates. That will list all the available releases in all their glory. That too shows that you are up to date. Christmas has come early for you.
On second reading, it seems that you are telling me that the Genie found the requisite update and installed it. Is that right? Is the fix already in this "factory release"?
Need some direction here -I downloaded the firmware update (R7000-v1.0.7.6_1.1.99.chk) due to email I received about the latest Netgear vulnerability and I've been in download mode for over 2 hours now (says it will only take about 2 minutes). This download/update doesn't seem like it is/will happen so if I just closed my browser or logged off will that mess up my router and/or connections as I wonder if anything was actually installed since there was no reboot? Please advise as to what options I really have left. Thank you.
I have the same sort of issue on the R6900 and closing the browser and logging in from another machine didn't affect anything as the update never actually starts the overwrite. I think it gets stuck after uploading the new firmware file and before it actually starts to overwrite files.
UPDATE: I tried the update from my Windows 7 laptop using WiFi and the process completed very quickly. I did NOT lose any of my custom settings for SSID or passwords. I guess a Mac can't handle something in the transfer.
RELamb wrote:Need some direction here -I downloaded the firmware update (R7000-v1.0.7.6_1.1.99.chk) due to email I received about the latest Netgear vulnerability and I've been in download mode for over 2 hours now (says it will only take about 2 minutes).
This confuses me.
Do you mean you have the file you need somewhere on your PC or is it still trying to get the file?
Or do you mean that you have file and it is hanging when you try to upload it to the router?
It really should take next to no time to get the chk file.
The steps needed to flash the firmware appear in various messages above this one. For example:
There are more, but these should get you started.
I do the have file, but it is hanging when trying to upload to the router.
I tried to follow the instructions but they are so arcane as to be useless unless you are a tech geek, and I am not. It really bothers me that Netgear assumes customers are familiar with technical IT terminology and processes. It would be helpful if, before releasing instructions, your support team finds a person who is NOT a tech geek and ask them if they understand the instructions.
As it stands, I am unable to complete the instructions to upgrade the firmware to fix the security issue. Since Netgear has offered a "fix" that is not understandable by the general public consumer, they will be liable for any lawsuits arising from security breaches. I know I will be first in line in the courts if it happens.
JMNB wrote:It would be helpful if, before releasing instructions, your support team finds a person who is NOT a tech geek and ask them if they understand the instructions.
I'm no geek, but I admit that it can take a bit of effort to work out what to do, but once done you will find that it is really easy.
You haven't told us where you get stuck, or what hardware you want to fix, so we'll have to start from the beginning.
The first thing to do is to consult the manual for your device. (Look for a section called Upgrade the Router/Modem Firmware.) Then check that the following steps, which should work for most hardware, apply to you.
- Download the firmware for your device
- Launch a web browser from a computer or wireless device (preferably a computer) that is connected to the network.
- Type http://www.routerlogin.net or http://www.routerlogin.com.
You should see a login screen. - Enter the user name and password.
The user name is admin. The default password is password. (These are case-sensitive.)
The BASIC Home screen displays. - Navigate to ADVANCED > Administration > Firmware Upgrade.
You should see the Firmware Upgrade screen. - Click the Browse button.
- Find and select the saved firmware on your computer.
- Wait for the thing to reboot and away you go.
If you get stuck in the process, make a note of where, and any messages you see, and come back with some clues that people can use to guide you through the obstacles.
JMNB wrote:I tried to follow the instructions but they are so arcane as to be useless unless you are a tech geek, and I am not. It really bothers me that Netgear assumes customers are familiar with technical IT terminology and processes. It would be helpful if, before releasing instructions, your support team finds a person who is NOT a tech geek and ask them if they understand the instructions.
As it stands, I am unable to complete the instructions to upgrade the firmware to fix the security issue. Since Netgear has offered a "fix" that is not understandable by the general public consumer, they will be liable for any lawsuits arising from security breaches. I know I will be first in line in the courts if it happens.
Those instructions I beleive worked for a lot of people. Why not POST what steps you tried and we'll try to steer you in the right direction. It is not hard.
First thing to try is to see the the Router will do the Update for you. Did you get to the Router page that had CHECK FOR UPDATE on it? If so did you use that button and what happened?
Next would be the D/L, it is a ZIP file. Is that what stumped you or did you get that down and unZip it? Then did you get to the router page where you can browse to find that .CHK file after you unZipped the file? Did that give you a problem.
Post what you did or what stumped you, we can help.
IrvSp wrote:First thing to try is to see the the Router will do the Update for you. Did you get to the Router page that had CHECK FOR UPDATE on it? If so did you use that button and what happened?
You won't usually see that option for beta firmware. That's what most of the upgrade are at this stage.
I remain concerned about the security of my r8500 router. From what I can tell it is vulnerable to the VU#582384 (arbitrary command injection) vulnerability. But Netgear does not acknowledge the problem even though it lists other routers as being subject to the same vulnerability.
After following the test provided in the Bas post ( http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ ) I determined that my Netgear r8500 router is subhnect to the CERT VU#582384 vulnerability. This is despite the fact that the Netgear page that lists what Netgear claims are the affected routers does not include the r8500. See http://kb.netgear.com/000036386/CVE-2016-582384.
Moreover, there are posts on this Netgear Community site, apparently blessed by Netgear personnel, suggesting that this router is not subject to this vulnerability. See message from "Netgear Moderator mdgm" at http://community.netgear.com/t5/Nighthawk-WiFi-Routers/Is-R8500-affected-by-new-vulnerability/m-p/1188233#M44622. Unless the Bas test is faulty (and there is no reason to believe so), this appears to be false. Does this "Netgear moderator" work for Netgear? If a Netgear representative has implied that the r8500 isn't affected by the vulnerability when actually it is (he/she said "I believe it isn't affected. It iisn't on the list ...") this could cause users that rely on this guidance to be harmed, because r8500 users that rely on the advice by the Netgear moderator could be victimized by hackers that exploit the vulnerability.
I do not understand why Netgear has failed to acknowledge this issue (or to take steps to rectify it) on the r8500. Has Netgear tested this router for this vulnerability? Does Netgear dispute that the problem exists with the r8500? Does Netgear dispute the Bas methodology for exposing the vulnerability? Thr fact that the CMU Vulnerability Notes Database does not list the r8500 (see https://www.kb.cert.org/vuls/id/582384) does not explain this. While it is hard to tell, it looks like the CMU group relied on Netgear's list of affected routers.
Most importantly -- When will there be a firmware upgrade to rectify this situation on the r8500 router? I spent more than $400 on this router, and am beginning to regret that decision.
Bob
I've applied the update.
Is there any way to determine if you were hacked via this exploit?
Telltale info in logs, etc?Thanks.
netgearguy wrote:Is there any way to determine if you were hacked via this exploit?
Good question.
I have a bigger one.
Is there evidence that anyone has been hacked by this exploit? Or is it a theoretical one that Netgear has now nipped in the bud?
mdgm wrote:
NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384
...Please "pin" above link to the top of the page on home routers https://community.netgear.com/t5/WiFi-Routers/ct-p/home-wifi-routers
This should be prominently listed on the top of every thread pertaining to the affected devices.
The list has been updated to include more models, including the D6400.
mdgm wrote:
NETGEAR is aware of the security issue #582384 affecting R6400, R7000, R8000 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384
We're working hard for a fix and will update the security ticket above soon.Ok am I dense? Why is this green checked as solved? Acknowledging there is a problem is not a solution in itself. Kinda misleading doncha think?
timetorebel wrote:
mdgm wrote:
NETGEAR is aware of the security issue #582384 affecting R6400, R7000, R8000 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384
We're working hard for a fix and will update the security ticket above soon.Ok am I dense? Why is this green checked as solved? Acknowledging there is a problem is not a solution in itself. Kinda misleading doncha think?
I saw that too. No idea, because it is not resolved. Maybe they are worried that people will not be buying these routers for Xmas?
I think that was probably marked as the solution by a colleague so that users could quickly find the advisory to follow to keep updated on the issue.
As our investigation continues we will have further updates to our security advisory. Thank you for your patience.
We have an email dedicated for security concerns e.g. reporting security issues. It's mentioned in the security advisory and also on the Security Advisory section of our website: http://www.netgear.com/about/security/
According to all threat assessment sources, Netgear was made aware of the vulnerability in August but chose to ignore the cyber security community which is why the issue was never resolved any sooner. We should hope they will act more promptly in the future. Nighthawk routers aren't cheap - they are future-proof investments.
Rauder wrote:According to all threat assessment sources, Netgear was made aware of the vulnerability in August but chose to ignore the cyber security community which is why the issue was never resolved any sooner. We should hope they will act more promptly in the future. Nighthawk routers aren't cheap - they are future-proof investments.
I've really gotta be cynical about this response lag. On a post on another thread I said Netgear needs to be more proactive than reactive as in auditing its own code and revamping firmware deployment model such as making it more modular so people could apply package and kernel updates as in desktop applications of Linux. Oh and do something about the user interface. Ancient kernels and applications are bad enough but the UI is apparently also a weak link in the chain. And so much for the keeping remote manafement off "panacea" since a bad ad might exploit your browser to topple the router from inside the network. Nice.
But if there was that long of a response lag between when Acew0rm tried notifying Netgear and the vulnerability made public I don't think the term "reactive" is appropriate. Head in sand might be better. It's about PR and pleasing ....wait for it... investors.
The saddest part is that those of us who know about the problem(s) with Netfear and other router vendors are probably a very small portion of endusers. Therefore very little free market accountabilty.
And I used to mock Microsoft. Well I still do 😊
At least there are alternatives such as building your own Ubuntu router box, open source firmwares, or something such as a pfsense box. The latter can be had as turnkey without too much fuss.
