Slashdot Mirror
Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers (securityledger.com)
"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT.
Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers:
Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.
With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
Stop using Netgear firmware. I operate under the assumption that the stock firmware on any consumer wireless device is probably a bug riddled privacy disaster and replace it with something sane ASAP.
Obviously, that sucks for people who can't dabble in firmware replacements, but there's a limit to what I can fix...
Log in or piss off.
I tried OpenWRT on a cheap TP-LINK wifi router. While the feature set was impressive, it could barely manage 1/3 the throughput of the stock firmware.
Only the State obtains its revenue by coercion. - Murray Rothbard
The R7000 (which I own) supports DD-WRT very well, so it's just a matter of installing that.
And it may have been utilized by malware for a long time before that.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I was just complaining in a message thread on Facebook earlier today about Netgear product issues. (Netgear had some corporate shill trying to talk up their product line on there, and promptly got a slew of negative comments about support issues and hardware problems with their products. I had to chime in with my bad experience of a whole group of ProSafe smart switches that failed shortly outside the warranty period, thanks to defective power adapters included with them. Netgear wanted to charge more for a replacement adapter than it was worth. Finally got them going again with cheap adapters found on eBay.)
I should go back and link this article too!
Asuswrt-Merlin on Netgear R7000 I've been using this for several months. http://www.linksysinfo.org/ind... Just about everything that's on the ASUS routers runs on the Netgear.
A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
There are a helluva lot more than 8000 Netgear routers on the Internet, which implies the vulnerability requires you to enable remote (WLAN) admin access on the router for it to be exploited externally. But neither link clarifies if this is the case.
You'd still vulnerable from the LAN side, particularly if someone using your Internet clicks a link with the default IP address of the router coded into the URL. But the first thing I do when I get a new router is change the default IP address precisely to prevent this sort of thing, and to avoid complications from subnet address collisions when setting up VPNs. Usually something in then 10.x.x.x block.
Yes, I immediately thought of OpenWRT, which I run on Netgear, Linksys, and other companies routers. I buy them brand-new and flash them before placing them in service.
Bruce Perens.
There is absolutely no reason to keep using the stock firmware (other than laziness), and many reasons not to (see this story). If you don't know where to start: https://www.dd-wrt.com/wiki/in...
I tried OpenWRT on a cheap TP-LINK wifi router. While the feature set was impressive, it could barely manage 1/3 the throughput of the stock firmware.
This is absolutely accurate. The reason is that the stock firmware enables hardware accelerated NAT in the switch chip. This isn't yet supported in the Linux kernel, so no support in Openwrt.
I have a Netgear DGN2200M and the exploit (as described in the article) doesn't work on my router thankfully.
Just go "enterprise", I got one of these https://www.ubnt.com/unifi/uni... with one of these https://www.ubnt.com/edgemax/e... for $150 or so total, it really lights up my whole house, doesn't have lots of network names for different wireless frequencies, easily isolated guest network, super long range, and if I really wanted, I could add an outdoor one and light up my backyard too.
It wasn't perfect (you need a computer with some weird java app to seup and update the setup), but overall, I'm very happy with my results, and it didn't cost me much extra over a mid-range router ($150 vs $75).
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
I bought a cheap Intel Celeron N3150 that came with dual NICs, and installed pfSense on it. Best router I've ever had. Although the modem plugged into it is Netgear...
Who ordered that?
Are you fucking kidding me?
Is not effected. The CERT link is kind of crap but they have reference links at the bottom which have more meat including a PoF you can do easily (http://RouterIP/;telnetd$IFS-p$IFS'45' is supposed to open telnet on port 45).
FTFA references
> I don't know of any reliable alternatives to run as firmware.
It looks like Tomato supports your router, as does dd-wrt.
https://www.myopenrouter.com/b...
https://www.myopenrouter.com/d...
> As far as other brands, I dislike Linksys, especially since the Cisco and Belkin days. The quality is simply not there anymore. Anyone have a good recommendation?
Further up this page someone posted a link to recent routers recommended for Tomato.
The end of Netgear? Negative reviews about Netgear products act as powerful negative advertising. When people want to buy computer hardware, they read the reviews on Amazon and Newegg. A large percentage of the reviews of Netgear routers are extremely negative.
Below are links to extremely negative reviews: 1) 14 extremely negative Amazon reviews and 2) 11 Netgear Forum requests for help that were ignored.
The negative reviews reflect 3 very serious issues:
1) Netgear does not publish sufficient information about how to configure its equipment, so many customers have severe difficulties.
2) Netgear's equipment is, in some ways, badly designed. Users with experience with other manufacturers don't imagine that the electronic design of Netgear products makes the products so complicated to configure.
3) Customers who post problems on the Netgear Forum often receive no help.
Solutions
There is an easy, quick solution: Netgear must communicate clearly. There is a long-term solution: Netgear needs to hire electronics engineers and programmers who eliminate the design problems.
Benefits
Sales will be much easier if Netgear becomes better at communicating. Anyone holding Netgear stock will benefit from improvements in ease of configuration of Netgear products. Netgear will be easier to manage if there is better coordination.
I spent many hours trying to configure our Netgear routers. Eventually I found a review on Amazon that told how to correct the problem. I was trying to configure 4 FVS336Gv2 routers. (We own 8.) They worked very well for a few hours, and then dropped connections.
I've discovered there are many other people with the same problem. I posted 2 messages on the Netgear Forum and received no reply. My experience with older Netgear routers is that they have configuration issues also, but are easier to configure than the newer routers.
I'm an electronics design engineer and programmer. This article is a volunteer effort to try to get Netgear to improve communication with customers, so that my company will not need to change our operations to use hardware from another manufacturer.
One example of poor communication: Customers are not told of the unusual methods necessary to make Netgear equipment work. See this example from an Amazon review:
That indicates that there is no internal mechanism to prevent faulty installation of firmware.
The instructions that come with the firmware say nothing about resetting before and after.
Customers imply that Netgear makes configuration difficult so that Netgear can charge for help. Configuration help is free for 90 days. After that Netgear charges for help. Making configuration difficult and not intuitive apparently, judging from what customers say, is a way of making more money.
Other ideas from customer reviews:
1) The plug-in power supplies sometimes don't provide enough power.
2) Some Netgear routers require 4 minutes to re-start after the power is off.
3) Some Netgear routers must be turned off for at least 2 minutes before re-starting. (That indicates that the design lacks a resistor to drain the power supply capacitor quickly after the router is unplugged.)
4) Question: How long must the "Factory Defaults" switch be pressed before the return to factory co
My R8000 running V1.0.3.4_1.1.2 (latest available) is vulnerable from the inside. However my inside network does not use the 192.x.x.x address space so good luck figuring out my inside interface IP.
It damn well should be!
There needs to be a policing/standards body for ensuring secure hardware &software platforms/interfaces.
Basically testing for security compliance of any product that can communicate over a network.
I'll put it on my Santa wish list
It is possible that 1/3 throughput number is due to differences in the packet filtering framework in use and the default filtering being done.
I personally moved to OpenWRT just to make sure my router was filtering packets properly and being able to configure multiple vlans in the switch chip. As a 100 megabit router running a ~300 mhz cpu, it is getting full line speed over the WAN port (20-30 megabit) even with a dozen or so rules in place.
Having said that: Were you attempting to use WIFI on the router at the same time? Because WIFI seriously degrades performance, especially if you have any packet filtering going on (especially if the wlan and lan segments are considered part of the same network. I personally segment them to avoid precisely that issue.)
This isn't a java/javascriipt or browser exploit.
It works by being able to send commands directly to the router as part of a url request. The router's web interface will process it unauthenticated as root.
I'm not sure how the malicious website would exploit it outside of presenting a link for you to click on as my understanding of web programing is limited to basic html and I need a cheat sheet at that. But it appears that this is within the web server inside the router so killing it off would negate the issue. But on that hand, you would have to reboot the router to log into the web page to administrate it. Alternatively, you likely could ssh or telnet into it and do it from a command shell if the ports are open.
Here is someone who has illustrated it a bit by using the exploit to disable the web server as a temporary fix.
http://www.sj-vs.net/a-tempora...
The major downside is that I can't resist playing, and seem to have borked DNS.
I've managed to bork mine too, but this was before I discovered "Backup & Restore" under "Diagnostics".
Who ordered that?
DDWRT-I still have a WRT54GL in use as wireless bridge. I have several machines in the living room that don't do wifi, and I didn't want to run Cat5/6 out there so I set my old faithful WRT54GL up as a wireless bridge.. Works peachy..
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
I encourage everyone to let Netgear management know what a great job they're doing: https://www.netgear.com/about/... AFIK, their email address format is typically Firstname.Lastname@netgear.com.
I think a new law is needed making it legal for the government to hack devices/computers for the purposes of disabling them.
Furthermore internet enabled devices might necessitate an FCC mandated kill switch. I can see it using both a push and pull mechanism. Push where the devices are directly connected to the internet and pull from behind a firewall where the devices must periodically check an FCC site to see if it should disable itself in as graceful as way possible such as maybe disabling network connections and requiring manual intervention. This must apply to all computers running Windows.
Bots are a menace to the internet and people must accept a certain amount of responsibility for the maintenance of their devices.
Netgear is the McDonald's of routers. Personally, I only use Draytek routers. Have had great success with them where Netgear, Linksys, D-Link, and Cisco have all failed miserably.
I don't respond to AC's.
You present the malicious URL as an or some other type that gets automatically loaded with the page. The user does not have to click anything, or even have javascript enabled.
I have a stack of Cisco and Juniper firewalls and routers, ASAs and ISRs. The reason I have them hooked up right now is I'm writing scripts to detect and exploit (at POC level) various vulnerabilities in them.
Some of the vulnerabilities have fixes available, some don't. There are reasons to spend a hundred times as much on a Cisco, but security isn't a very strong reason, compared to OpenWRT. I actually trust OpenWRT more than I trust my Cisco ASA, based on my twenty years of experience.
(In the grandparent comment, I forgot to say that I sent that information to Netgear management in January 2016, less than a year ago.)
I researched other suppliers of VPN routers. They didn't seem better.
Any suggestions?
>> If you run your firewall / router in a VM, that means there's a physical box hosting it which is physically plugged directly into the internet
> What are you taking about? I run this exact setup and my host isn't "unprotected by the firewall."
How exactly do you think ethernet frames GET to your VM, at layer 1 and layer 2?
As I said, it's not impossible to do it reasonably safely, but I much prefer to have nothing but the firewall *physically* plugged into the internet. In theory, software should route all the frames to your VM, via the internal virtual switch, if and when everything is working as designed. Do you trust that a switch will never ever forward a frame to the wrong port? If so, you've never heard of a CAM overflow attack, or gratuitous ARP. I can tell you with certainty that I can cause the switch to broadcast those frames rather than sending them only to your pfsense VM.
If you can't afford a decent router from a decent company - then rent one from your ISP. At least then security and support issues will be your ISP's problem.
The problem is most ISP's don't give a fuck if you get hacked and they hand you some Netgear AIO modem/router thats garbage to start with and you cant even flash it because AIO devices aren't supported by ANY of the OSS firmware options. If your'e a consumer concerned with safety of your internet devices and don't have the knowledge/skill to find and flash a compatible router, than buy Buffalo Routers. Most of their routers come Pre-Installed with DD-WRT and yes they have a modified version but you can easily download the full non-modified version, then install it thru the web interface like any normal router firmware update.
BTW my postb might have been unclear. I mentioned I've been doing this professionally for a long time, and that I use OpenWRT. What I didn't make clear is that I don't deploy OpenWRT professionally.* Putting aside what might be technically best for a particular role, we're all heard the saying "nobody ever got fired for buying IBM", nobody ever got fired for buying Cisco.
* One time I needed a VPN end point to serve ONE user, for a company with total annual revenuev around $100K. OpenWrt met the requirements.
> You a pentester or writing a pentesting kit??
I write vulnerability assessment tools. It's a broader more than pentesting proper because we also find weaknesses that aren't strictly part of pentesting.
> You actually finding new gaps or just learning how to exploit known issues?
Mostly we're assessing issues that are known to some degree, sometimes we find undocumented weaknesses, sometimes we assess the impact of newly discovered vulnerabilities, and how potential mitigating or aggravating factors affect the risk. Often the "new" stuff is yet another case of a well-known type, such as SQLi.
> Btw, I think 100x is a bit hyperbolic? :)
You can spend $3,000 on Cisco ASA, then to have the same functionality as OpenWRT you'd add the strong ciphers upgrade and the upgrade for more VPN seats, and pay annually for upgrades. Altogether, you certainly CAN spend $5,000 on Cisco firewall, and you can deploy OpenWRT for $50. So 100X the price is certainly possible, though that is at the high end. You can also get a small Cisco ASA for $450. (You can get an outdated, unsupported, and vulnerable ASA 5505 for $200 used with power adapter, but that's dumb.)
Netgear's ongoing response to this issue is at http://kb.netgear.com/00003638...
After trying all of the consumer routers and even Ubiquity Unifi, I finally settled on RouterBoard. Better performance/price ratio compared to even Ubiquity, with fine grained control over how it operates. Can be setup with a desktop application or a direct web interface. Rock solid setup and operation. This one is basically a wireless router, so it can be configured as your main router. But at just about $120, it is inexpensive enough to be configured and used for additional wireless access points spread across the house.
Why should I worry?
An old PC is probably not worth it, if you're keeping it powered all of the time. A PC-Engines APU2 board will use 6-10W and cost around $100. An old PC will use 50-100W and cost $0. Power costs a little over 1$/W/year, so after one to two years you've paid more in power for the old PC than the TCO for the newer board.
I am TheRaven on Soylent News
I'd love to do that, only the ERL and ERL-X can't handle my 1gbps internet connection. They seem to top out in the 6-700 hundred range and the netgear router my ISP provided me can hit 860's.
I can vouch for the AP-AC-LR - I'm using one with my old router (way down in the basement) and it's really improved the wifi situation. It this case I pretty much just told it the SSID & password of the existing router and that was it.
I have the R6400 - there's some magic address (like mynetgearrouter.net or something) which the router will use for itself so you don't need to know the ip address. If you can get dhcp and type that in, you can start to configure it. Makes a lot of sense really if you're trying to make things easy for the masses.
I had a problem with a Netgear router not being able to remember DHCP to MAC assignments. This was a problem in the version of dnsmasq baked into the firmware, but that had been fixed in the current version of dnsmasq. So I called up technical support to ask if there was a later version of the firmware, or source code I could rebuild from. After about 40minutes of going through a completely useless script. ("No I won't click the start button, Debian doesn't have one, you insensitive clod.") I gave up and eBay'd the paperweight. No more Netgear for me.
Red to red, black to black. Switch it on, but stand well back.
"the problem is in the firmware"
OpenWRT firmware contains a Linux kernel.
I've sorta seen the the same thing. I've been using DD-WRT on Linksys access points for years. I don't use them for my router, I have a pfSense box for that.....the Linksys is strictly for wifi. I recently upgraded from a Linksys E3000 to a WRT1200AC so that I could upgrade from 802.11N to AC. The first thing I did was install DD-WRT on it.
The thing would have a hard-crash about half-way through streaming a 2-hour Netflix movie. I didn't have these problems with the E3000, so my first thought was that it was a problem with the WRT1200AC....but I don't have these problems when putting the stock firmware back on it.
I need to revisit it and see if there are some settings I need to play with in DD-WRT, but there is something to be said about the stock firmware that "just works".
If you post as Anonymous Coward, don't expect a reply.
1.0.5.48_1.1.79 is vulnerable. As I had one laying around, plugged it in and it would execute code when I shot it the url.
Updated to V1.0.7.2_1.1.93 also vulnerable.
http://router-address/cgi-bin/...'
Kills the httpd demon and doesn't allow remote execution (or web management) until rebooted, where router-adress is the netgear. That is work around enough.
Yeah, that set-up is easy peasy phone app.
I had to install their app on a computer, and I think I need the same computer to update setting for anything past that.
I have 3 vlans, one for a VPN, one for normal use, and one unencrypted for guest access (simply so they don't need to ask the password), and I assume neighbor access too.
The very basic setup, one access point, one SSID can be done from a phone.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Good to know.
I wonder if I'll ever get access to that speed (honestly, it seems unlikely, it's taken 3 years to get 15-25 mbps), hopefully by the time I do it will be only $50 for a router that can handle it though.
If you have any WiFi coverage problems, I'd still highly recommend a Unifi or two.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Totally, I use 3 Unifi AC access points currently.
1 on the first floor
1 on the second floor
1 in the garage faced out to the back yard so the deck gets wifi.
I also use their cloud controller, it all works rather well.
Thanks. Having a look at Asus VPN routers now.
Is the close controller the thing the call the "cloud key "?
What exactly does that do? The website is not very clear to me
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Netgear published on 12/13/2016 a beta firmware which claims to address the issue (haven't tested). As of this moment, the router will not, by default, prompt installation of beta firmware. http://kb.netgear.com/00003645...
Basically it runs the Unifi controller on a tiny PoE device. The reason they call it 'cloud' is because they have a portal site you can use to access it anywhere in the world (if you enable it). But basically just a simple way to run the unifi controller.
Rather than on a computer, so it's always there basically?
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
You got it.