Slashdot Mirror
Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers (securityledger.com)
"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT.
Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers:
Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.
With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
Stop using Netgear firmware. I operate under the assumption that the stock firmware on any consumer wireless device is probably a bug riddled privacy disaster and replace it with something sane ASAP.
Obviously, that sucks for people who can't dabble in firmware replacements, but there's a limit to what I can fix...
Log in or piss off.
Time for more OpenWRT based routers? At least then you don't need to rely on the manufacturer for "security updates" which will be discontinued not long after purchase. Invariably this always seems to happen. I don't see things getting much better for integrated routers unless more of them have replaceable firmware, but then I guess that would threaten the manufacturer's profit margins and we can't have that can we.
If Carnegie Mellon is talking about the exploit now, that means they told the FBI about it a long time ago and it's being actively used against people.
I reported a vulnerability to the Netgear CTO approximately 10 years ago. Before he hung up the phone one me he started screaming that their products were secure and to never contact Netgear about security problems again. Issues like these become systemic when the top down corporate culture is negligent to modern day best practicies.
What I learned then is what you all likely are learning now - DONT USE NETGEAR. 2C
P.S. The vulnerability I reported still exists.
I was just complaining in a message thread on Facebook earlier today about Netgear product issues. (Netgear had some corporate shill trying to talk up their product line on there, and promptly got a slew of negative comments about support issues and hardware problems with their products. I had to chime in with my bad experience of a whole group of ProSafe smart switches that failed shortly outside the warranty period, thanks to defective power adapters included with them. Netgear wanted to charge more for a replacement adapter than it was worth. Finally got them going again with cheap adapters found on eBay.)
I should go back and link this article too!
Asuswrt-Merlin on Netgear R7000 I've been using this for several months. http://www.linksysinfo.org/ind... Just about everything that's on the ASUS routers runs on the Netgear.
A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
There are a helluva lot more than 8000 Netgear routers on the Internet, which implies the vulnerability requires you to enable remote (WLAN) admin access on the router for it to be exploited externally. But neither link clarifies if this is the case.
You'd still vulnerable from the LAN side, particularly if someone using your Internet clicks a link with the default IP address of the router coded into the URL. But the first thing I do when I get a new router is change the default IP address precisely to prevent this sort of thing, and to avoid complications from subnet address collisions when setting up VPNs. Usually something in then 10.x.x.x block.
Yes, I immediately thought of OpenWRT, which I run on Netgear, Linksys, and other companies routers. I buy them brand-new and flash them before placing them in service.
Bruce Perens.
which is affected. There is no patch yet, just checked. You would think it would not take but a day or so to push out a patch, but since we're not dealing with Libre/FLOSS software, we are literally at the mercy of Netgear. I don't know of any reliable alternatives to run as firmware. Anyone?
As far as other brands, I dislike Linksys, especially since the Cisco and Belkin days. The quality is simply not there anymore. Anyone have a good recommendation? Buffalo, maybe? D-Link? ASUS. Apple is getting out of the wireless game, so I won't buy something that will not be getting support.
Classic example of a cross-site request forgery attack.
There is absolutely no reason to keep using the stock firmware (other than laziness), and many reasons not to (see this story). If you don't know where to start: https://www.dd-wrt.com/wiki/in...
It's not cheap if you have to replace it annually when the manufacturer stops supporting the software on the device.
There are plenty of small business products from reputable network companies - yes they cost more than $199 - and you can't buy them at Walmart and Best Buy - but they are FAR better than the crap stocked at those stores.
If you can't afford a decent router from a decent company - then rent one from your ISP. At least then security and support issues will be your ISP's problem.
I have a Netgear DGN2200M and the exploit (as described in the article) doesn't work on my router thankfully.
And just what, exactly, does "visiting a malicious website" have to do with anything?
If the web interface port is open to the Internet, no user involvement is required.
If the "visiting a malicious website" is required so that JavaScript / Java in the browser can execute the exploit against the "inside" interface, then this is a vulnerability in the browser / JavaScript / Java and not necessarily the router.
I do not understand.
Are you fucking kidding me?
Is not effected. The CERT link is kind of crap but they have reference links at the bottom which have more meat including a PoF you can do easily (http://RouterIP/;telnetd$IFS-p$IFS'45' is supposed to open telnet on port 45).
FTFA references
> I don't know of any reliable alternatives to run as firmware.
It looks like Tomato supports your router, as does dd-wrt.
https://www.myopenrouter.com/b...
https://www.myopenrouter.com/d...
> As far as other brands, I dislike Linksys, especially since the Cisco and Belkin days. The quality is simply not there anymore. Anyone have a good recommendation?
Further up this page someone posted a link to recent routers recommended for Tomato.
The end of Netgear? Negative reviews about Netgear products act as powerful negative advertising. When people want to buy computer hardware, they read the reviews on Amazon and Newegg. A large percentage of the reviews of Netgear routers are extremely negative.
Below are links to extremely negative reviews: 1) 14 extremely negative Amazon reviews and 2) 11 Netgear Forum requests for help that were ignored.
The negative reviews reflect 3 very serious issues:
1) Netgear does not publish sufficient information about how to configure its equipment, so many customers have severe difficulties.
2) Netgear's equipment is, in some ways, badly designed. Users with experience with other manufacturers don't imagine that the electronic design of Netgear products makes the products so complicated to configure.
3) Customers who post problems on the Netgear Forum often receive no help.
Solutions
There is an easy, quick solution: Netgear must communicate clearly. There is a long-term solution: Netgear needs to hire electronics engineers and programmers who eliminate the design problems.
Benefits
Sales will be much easier if Netgear becomes better at communicating. Anyone holding Netgear stock will benefit from improvements in ease of configuration of Netgear products. Netgear will be easier to manage if there is better coordination.
I spent many hours trying to configure our Netgear routers. Eventually I found a review on Amazon that told how to correct the problem. I was trying to configure 4 FVS336Gv2 routers. (We own 8.) They worked very well for a few hours, and then dropped connections.
I've discovered there are many other people with the same problem. I posted 2 messages on the Netgear Forum and received no reply. My experience with older Netgear routers is that they have configuration issues also, but are easier to configure than the newer routers.
I'm an electronics design engineer and programmer. This article is a volunteer effort to try to get Netgear to improve communication with customers, so that my company will not need to change our operations to use hardware from another manufacturer.
One example of poor communication: Customers are not told of the unusual methods necessary to make Netgear equipment work. See this example from an Amazon review:
That indicates that there is no internal mechanism to prevent faulty installation of firmware.
The instructions that come with the firmware say nothing about resetting before and after.
Customers imply that Netgear makes configuration difficult so that Netgear can charge for help. Configuration help is free for 90 days. After that Netgear charges for help. Making configuration difficult and not intuitive apparently, judging from what customers say, is a way of making more money.
Other ideas from customer reviews:
1) The plug-in power supplies sometimes don't provide enough power.
2) Some Netgear routers require 4 minutes to re-start after the power is off.
3) Some Netgear routers must be turned off for at least 2 minutes before re-starting. (That indicates that the design lacks a resistor to drain the power supply capacitor quickly after the router is unplugged.)
4) Question: How long must the "Factory Defaults" switch be pressed before the return to factory co
My R8000 running V1.0.3.4_1.1.2 (latest available) is vulnerable from the inside. However my inside network does not use the 192.x.x.x address space so good luck figuring out my inside interface IP.
It damn well should be!
There needs to be a policing/standards body for ensuring secure hardware &software platforms/interfaces.
Basically testing for security compliance of any product that can communicate over a network.
I'll put it on my Santa wish list
It is possible that 1/3 throughput number is due to differences in the packet filtering framework in use and the default filtering being done.
I personally moved to OpenWRT just to make sure my router was filtering packets properly and being able to configure multiple vlans in the switch chip. As a 100 megabit router running a ~300 mhz cpu, it is getting full line speed over the WAN port (20-30 megabit) even with a dozen or so rules in place.
Having said that: Were you attempting to use WIFI on the router at the same time? Because WIFI seriously degrades performance, especially if you have any packet filtering going on (especially if the wlan and lan segments are considered part of the same network. I personally segment them to avoid precisely that issue.)
Anyone still using WRT54GL? If so which open source firmware do you prefer?
I began to accept the notion that all consumer based routers are junk, and designed only to focus on making it easy for the dumb consumer to get connected. Any network security person will most likely recommend a business grade router even in homes. Or as many say, install a third party firmware solution, but frankly most consumers will never even know this problem exist. How many even know how to upgrade firmware or what firmware is?
I encourage everyone to let Netgear management know what a great job they're doing: https://www.netgear.com/about/... AFIK, their email address format is typically Firstname.Lastname@netgear.com.
I think a new law is needed making it legal for the government to hack devices/computers for the purposes of disabling them.
Furthermore internet enabled devices might necessitate an FCC mandated kill switch. I can see it using both a push and pull mechanism. Push where the devices are directly connected to the internet and pull from behind a firewall where the devices must periodically check an FCC site to see if it should disable itself in as graceful as way possible such as maybe disabling network connections and requiring manual intervention. This must apply to all computers running Windows.
Bots are a menace to the internet and people must accept a certain amount of responsibility for the maintenance of their devices.
Netgear is the McDonald's of routers. Personally, I only use Draytek routers. Have had great success with them where Netgear, Linksys, D-Link, and Cisco have all failed miserably.
I don't respond to AC's.
Browsers do have an address bar. It shows what the browser is connected to. They should simply stop loading content from anywhere else.
Sites that think they need to access multiple hosts shall proxy them behind one. Want to use other sites content, feed it through your own host. Sites that are too lazy will have to explain users to set up the necessary exceptions.
The web would be a much better place.
(of course, all the adds would no longer work the way they to, either.)
I have a stack of Cisco and Juniper firewalls and routers, ASAs and ISRs. The reason I have them hooked up right now is I'm writing scripts to detect and exploit (at POC level) various vulnerabilities in them.
Some of the vulnerabilities have fixes available, some don't. There are reasons to spend a hundred times as much on a Cisco, but security isn't a very strong reason, compared to OpenWRT. I actually trust OpenWRT more than I trust my Cisco ASA, based on my twenty years of experience.
Ridiculous. At least that means you can do this to put it in a non-vulnerable mode:
http://www.routerlogin.net/cgi-bin/;killall$IFS'httpd'
or
http:///cgi-bin/;killall$IFS'httpd'
If you need the web interface for anything you can power cycle then run that again to lock it down...
(In the grandparent comment, I forgot to say that I sent that information to Netgear management in January 2016, less than a year ago.)
I researched other suppliers of VPN routers. They didn't seem better.
Any suggestions?
>> If you run your firewall / router in a VM, that means there's a physical box hosting it which is physically plugged directly into the internet
> What are you taking about? I run this exact setup and my host isn't "unprotected by the firewall."
How exactly do you think ethernet frames GET to your VM, at layer 1 and layer 2?
As I said, it's not impossible to do it reasonably safely, but I much prefer to have nothing but the firewall *physically* plugged into the internet. In theory, software should route all the frames to your VM, via the internal virtual switch, if and when everything is working as designed. Do you trust that a switch will never ever forward a frame to the wrong port? If so, you've never heard of a CAM overflow attack, or gratuitous ARP. I can tell you with certainty that I can cause the switch to broadcast those frames rather than sending them only to your pfsense VM.
BTW my postb might have been unclear. I mentioned I've been doing this professionally for a long time, and that I use OpenWRT. What I didn't make clear is that I don't deploy OpenWRT professionally.* Putting aside what might be technically best for a particular role, we're all heard the saying "nobody ever got fired for buying IBM", nobody ever got fired for buying Cisco.
* One time I needed a VPN end point to serve ONE user, for a company with total annual revenuev around $100K. OpenWrt met the requirements.
From computer world:
Mr. van Schaik offers the first work-around for the problem. His idea is quite clever, use the bug to disable the vulnerable software. In this case, the vulnerable software is the web interface of the router, and this command kills it:
http://www.routerlogin.net/cgi-bin/;killall$IFS'httpd'
> You a pentester or writing a pentesting kit??
I write vulnerability assessment tools. It's a broader more than pentesting proper because we also find weaknesses that aren't strictly part of pentesting.
> You actually finding new gaps or just learning how to exploit known issues?
Mostly we're assessing issues that are known to some degree, sometimes we find undocumented weaknesses, sometimes we assess the impact of newly discovered vulnerabilities, and how potential mitigating or aggravating factors affect the risk. Often the "new" stuff is yet another case of a well-known type, such as SQLi.
> Btw, I think 100x is a bit hyperbolic? :)
You can spend $3,000 on Cisco ASA, then to have the same functionality as OpenWRT you'd add the strong ciphers upgrade and the upgrade for more VPN seats, and pay annually for upgrades. Altogether, you certainly CAN spend $5,000 on Cisco firewall, and you can deploy OpenWRT for $50. So 100X the price is certainly possible, though that is at the high end. You can also get a small Cisco ASA for $450. (You can get an outdated, unsupported, and vulnerable ASA 5505 for $200 used with power adapter, but that's dumb.)
Netgear's ongoing response to this issue is at http://kb.netgear.com/00003638...
Why should I worry?
NETGEAR has a dedicated page describing how to report vulnerabilities directly to the team that looks into issues like this: http://www.netgear.com/about/security
ASUS of course
I had a problem with a Netgear router not being able to remember DHCP to MAC assignments. This was a problem in the version of dnsmasq baked into the firmware, but that had been fixed in the current version of dnsmasq. So I called up technical support to ask if there was a later version of the firmware, or source code I could rebuild from. After about 40minutes of going through a completely useless script. ("No I won't click the start button, Debian doesn't have one, you insensitive clod.") I gave up and eBay'd the paperweight. No more Netgear for me.
Red to red, black to black. Switch it on, but stand well back.
Opened a support request and this is what I got:
Ignorant or clueless or both...
So This mean that you have be a Network Engineer to sustain the privacy. It seems like these companies who make the home/business wifi routers must be intentionally leaving holes in the system... To keep the product sell going.. Since day one of routers people complaining about the holes in the Routers and other hardware.. I just don't understand what these companies are doing... seems like making cookies..
Thanks. Having a look at Asus VPN routers now.
Netgear published on 12/13/2016 a beta firmware which claims to address the issue (haven't tested). As of this moment, the router will not, by default, prompt installation of beta firmware. http://kb.netgear.com/00003645...
Here is Netgear's response:
http://kb.netgear.com/000036386/CVE-2016-582384