Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers

"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT. Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers: Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.

With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."

I immediately thought of OpenWRT

[Bruce+Perens]

Yes, I immediately thought of OpenWRT, which I run on Netgear, Linksys, and other companies routers. I buy them brand-new and flash them before placing them in service.

Re: Netgear *firmware*

[corychristison]

I have built my own router in the past, and I ran pfSense.

I used a Jetway dual gig-nic VIA-based board. I can't recall the exact model. This was back in 2007/2008 or so.

I had one NIC for the WAN, the other for the LAN where I used an 8-port gigabit switch.

It worked well. At the time driver support for wireless cards (for a wireless accesspoint) was basically non-existant so that was one limitation. When we started getting wireless devices in our home (blackberries at the time) we decided we should upgrade the network.

Another problem is power consumption. The whole setup used aroud 100W.

There are the Alix boards with multiple NICs built in, still x86 based and easy to procure that use way less power these days. If I had to do it again, this is the route I would go.

The new higher end routers these days do offer a great value. Just do your research as to which can be flashed to Tomato/DD-WRT/OpenWRT/etc. and at least you have some control over them.

Re:Netgear *firmware*

[raymorris]

> In a VM though. At least that will lower the chance of potential attack vectors considerably even if a program in said VM were shit on.

If you run your firewall / router in a VM, that means there's a physical box hosting it which is physically plugged directly into the internet, unprotected by the firewall. I'm not saying it can't be done reasonably safely, but that's certainly not my preference.

> So, in conclusion, I'll buy an OpenWRT-compatible router and flash it on because I am lazy. :)

Yep. I've been doing network security full time for almost twenty years and I would (and do) use OpenWRT, not only because I'm lazy, but because that's a team of people building something specifically for that role. Even with 20 years of security experience, I could overlook something regarding security and nobody would be checking my work.

I may switch to a Cisco ASA as my first line of defense, though. I happen to have one for lab purposes. I'm not sure I want to deal with Cisco's licensing keeping the thing updated and doing everything I want it to do, though.

The reason I have Cisco and Juniper firewalls

[raymorris]

I have a stack of Cisco and Juniper firewalls and routers, ASAs and ISRs. The reason I have them hooked up right now is I'm writing scripts to detect and exploit (at POC level) various vulnerabilities in them.

Some of the vulnerabilities have fixes available, some don't. There are reasons to spend a hundred times as much on a Cisco, but security isn't a very strong reason, compared to OpenWRT. I actually trust OpenWRT more than I trust my Cisco ASA, based on my twenty years of experience.