This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
That latest 2021/01/21 Security bulletin states the RBS750 is susceptable to the hack if firmware is equal to or lower than
RBS40V running firmware versions prior to 2.6.2.4
RBS750 running firmware versions prior to 3.2.17.12
RBS850 running firmware versions prior to 3.2.17.12
...
Yet, the latest firmware found in the "Update" logs is
Check for new version from the Internet. [Check]
Status:
Model Name Device Name Current FW Status
Router CBR750 CBR750 V3.2.16.18 No New Firmware Available
Satellite RBS750 Orbi.. V3.2.16.22 No New Firmware Available
And what is worse, is that in grabbing this information I just found out my 'upgrade' to the CBR750 firmware showed failed days AFTER is succeeded (yes, I even posted a grab of the update page and posted it in another thread days ago). But then, wait for it, the router is having DNS issues, and even it's internal check for updates is failing... lmao.
So back to the fact the advisory that lists firmware that is later than what the updater finds - this seems to be routine for Netgear - as it just happened on my CBR40, too.
CBR750 (Orbi Cable Router) Firmware Version 3.2.16.18
RBS750 (Orbi Satellite) Firmware Version 3.2.16.6
It seems after some digging there are TWO RBS750 models. Not exactly a smart naming convention Netgear. One is for the RBR750/RBS750 pair, and a different model for the CBR750/RBS750 pair. Whoever is writing these security bulletins should probably be told this fact.
Then why are there THREE 'latest firmware' releases? And which one is really the latest?
My RBS750 satellite has V3.2.16.22 installed and reports this is the latest available.
The Orbi CBK752 page shows a latest RBS750 (Orbi Satellite) Firmware Version 3.2.16.6 (older than installed?).
The Security notice says the RBS750 is vulnerable if the RBS750 is running firmware versions prior to 3.2.17.12.
So where do I get V3.2.17.12 ???
And - if I download the version you link for the standalone RBS750, the update fails because the file is for the wrong version of RBS750. I must use the CBK752 download page to get the correct version for my RBS750 from
I'm thinking Netgear has no web master to maintain order, and teams change pages willy-nilly... lol.
ps: if I log into the RBS750 via the CBR750 and try using the system firmware updater, it fails: if I direct connect to the RBS750 with a cable, it will accept the 3.2.17.12 version found above. So even their mesh updater is broken.
pps: Now, I wonder when they plan to update the CBR750 to fix the vulnerability. It has the same basics as the RBR750, only with a cable modem stuck on the WAN side of the router.
When trying that update, the RBS says the file is not compatible ... so I gave up. I'm playing with the CBK752 kit now, and finding it is just as annoying ... and being told in support chat the only way to disable or reenable remote access is using the Orbi App; even though the entire point is to disable management of the router via web and wifi.
ps: here's part of the chat exchange I am in right now:
Me
Model Name Device Name Current Firmware Version Status Router CBR750 CBR750 V3.2.16.18 No New Firmware Available
10:37:26 AM
For now - let's ignore the fact my router is vulnerable. I want to discuss how to disable remote management (web side and wifi).
Ok, maybe NG has put a limiation on the RBS that come with the CBK system vs the RBK system. I know my RBS20 from my CBK40 is working with most recent FW.
Ya 1st line support has never been great and working deeper beyond there scripts. Ask them for escalated or level 3 support. This needs to be addressed by someone who can respond with better information.
Three attempts to use chat support - all have been total failures with attempts to escalete also failing. I also have two unanswered email support requests. I don't like calling for support because there is no transcript to refer back to... but I may try that.
I have four serious issues with the CBK752 ... and so far I am not feeling good about the money spent and especially about the low quality of support being given. Good thing I purchased through Amazon so I can return the box and get a full refund.
re: Netgear Support - my recommendation is "Don't bother - it's a waste of time and effort."
As for firmware updates, the Netgear firmware pages are being manged by a 2 year old, as far as I can tell. E.g., why is the CBK752 page versions different than the RBS750 page version? Looks like the CBR750 page has been updated in the past few days - it was showing .9 as the lastest.
Why the CBR750 hasn't been updated like the RBS750 and RBR750 is still an open question. I can guess it's due to the WAN port being "protected" by the cable modem interface and the chance of causing a stack overflow at that point might require tedious planning. Lol. Yeah, as if that'll stop someone who can reprogram CANBUS controllers of cars driving by or PLC Ladder logic machine controllers using a one shot USB stick attack.
The upside to the CBR750 over the CBR40 - so far - is much much faster boot interval, and the wifi can actually sustain over 500Mbps. Part of me is yelling RETURN IT! Part of me is saying Live with it.
Failed login to DMZ server are redirected to the modem login... lol. Even suggests the attacker reset the CBR750 password [requires SN, so not 100% dumb].
3. Firmware versions don't align with support web page - is 3.2.16.6 really the latest or does my satellite have odd firmware?
From router:
Status: Model Name Device Name Current FW Status Router CBR750 CBR750 V3.2.16.18 No New Firmware Available Satellite RBS750 Orbi Sa V3.2.16.22 No New Firmware Available
From Web:
Current Versions CBR750 (Orbi Cable Router) Firmware Version 3.2.16.18 RBS750 (Orbi Satellite) Firmware Version 3.2.16.6 [may have been fixed]
4. Port Triggering triggers from wrong inbound port
I have a port trigger set to iplocal:40000, yet these port scans are getting through to the host and finding the open 443 port.
[LAN access from remote] from 185.153.197.142 port 48766 to 192.168.1.251 port 443 Wednesday, Mar 03,2021 13:08:17 [LAN access from remote] from 92.118.160.49 port 34901 to 192.168.1.251 port 443 Wednesday, Mar 03,2021 10:09:23
5. Router log is being trucated at about 1500 characters, and never sends log to email client set to receive them.
6: Router unable to communicate with gmail smtp server for mailing logs.
Failed login to DMZ server are redirected to the modem login... lol. Even suggests the attacker reset the CBR750 password [requires SN, so not 100% dumb].
3. Firmware versions don't align with support web page - is 3.2.16.6 really the latest or does my satellite have odd firmware?
From router:
Status: Model Name Device Name Current FW Status Router CBR750 CBR750 V3.2.16.18 No New Firmware Available Satellite RBS750 Orbi Sa V3.2.16.22 No New Firmware Available
So this is version thats also on the RBK7 series system as well. I would presume that v12 from the RBK7 series system should be able to apply over v22 on the RBS.
From Web:
Current Versions CBR750 (Orbi Cable Router) Firmware Version 3.2.16.18 RBS750 (Orbi Satellite) Firmware Version 3.2.16.6 [may have been fixed]
4. Port Triggering triggers from wrong inbound port
I have a port trigger set to iplocal:40000, yet these port scans are getting through to the host and finding the open 443 port.
[LAN access from remote] from 185.153.197.142 port 48766 to 192.168.1.251 port 443 Wednesday, Mar 03,2021 13:08:17 [LAN access from remote] from 92.118.160.49 port 34901 to 192.168.1.251 port 443 Wednesday, Mar 03,2021 10:09:23
5. Router log is being trucated at about 1500 characters, and never sends log to email client set to receive them.
6: Router unable to communicate with gmail smtp server for mailing logs.
Router CBR750 CBR750 V3.2.16.18 No New Firmware Available Satellite RBS750 Orbi Sa V3.2.16.22 No New Firmware Available
So this is version thats also on the RBK7 series system as well. I would presume that v12 from the RBK7 series system should be able to apply over v22 on the RBS.
The sequence would be wrong, so no, it wouldn't be an improvement on that alone.
3.2.16.22 is a later release than 3.2.16.12
The other issue is the CBR has a cable modem in it, and RBR firmware will not have the required 'stuff' to work; and I'd hope the CBR is smart enough to not load the RBR code and brick the modem.
The mentioning of the RBK7 series was in reference to the RBS750 only. We already know that the CBR FW is specific and one would NOT attempt load RBK7 series FW on the CBR. IT would not allow it anyways. I'm sorry I mentioned that if it's confusing.
Actually v12 is from v3.2.17.12 series which IS more resent than 3.2.16.22
Using the CBR interface would not allow me to change the RBS firmware to the later rev. I had to manually log into the RBS and upload the firmware directly.
It appears Netgear has some internal validation for firmware used in kits. And unless whatever checkbox is set a specific build isn't allowed through. This also explains some of the web site stupidity for why some pages show 3.2.16.6 as most current while other pages show 3.2.17.12 as most current for the RBS750.
Have you made contact with someone at NG support or has anyone reached out to you?
Case #44257603
Case #44242253
I was able to get the log email to finally work - but only with a google email account; it is unable to use a private email server. I'm thinking it ignores the port designator and uses the default ports 25, 465, 587, or 2525 depending on security used. So TLS won't work using port 587.
Add one more item to the list of defects... lol. The NTP service doesn't understand NIST time servers and will modify the time to an incorrect value if you use a time.gov NTP server and tick the Use DST option.
At least this is true in the logs ... now I have to go check my devices that use the network time without a direct connection to NIST.
It makes the time off exactly one hour in the logs.
Actual time 3:56, log reports 4:56 when DST is ticked. With the DNS issue still happening - even with manual setup in the clients - I am getting close to moving back to the Orbi 40 kit.
I was able to get the log email to finally work - but only with a google email account; it is unable to use a private email server. I'm thinking it ignores the port designator and uses the default ports 25, 465, 587, or 2525 depending on security used. So TLS won't work using port 587.
It must be very hard for the Netgear support and QA to understand such problem reports.
Needless to say, the Netgear config input handling s**s - it must not accept any port there at all.
Leaving the inability to specify a port alone - what is perfectly fine for consumer devices, people should not have to care about - however standard services should make use of standard ports just like 25 for MTA communication.
Of course, the commonly used code on many Netgear devices [any many more embedded system vendors!] for submitting email (who on earth does collect logs by email in the times of syslog?!?) on the Orbi does work with TLS on port 587 - using explicit TLS by doing the STARTTLS. As per the RFC 8314 "Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access" except of one section (where an ERRATA exists) the document recommends using the port 465 for SMTP over implicit TLS, and does promote to re-assign the old smtps 465 exactly for this purpose. At no point it endorses the usage of 587 for SMTP over implicit TLS.
@FURRYe38 you can cancel the false information sent to NTGR, or update accordingly.
