Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers (securityledger.com)

Posted by EditorDavid on from the nixing-the-network dept.

"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT. Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers: Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.

With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."

25 of 147 comments (clear)

  1. Netgear *firmware* by c · · Score: 5, Insightful

    Stop using Netgear firmware. I operate under the assumption that the stock firmware on any consumer wireless device is probably a bug riddled privacy disaster and replace it with something sane ASAP.

    Obviously, that sucks for people who can't dabble in firmware replacements, but there's a limit to what I can fix...

    --
    Log in or piss off.
    1. Re:Netgear *firmware* by MeanE · · Score: 4, Informative

      Just grab anything on this list.

      https://advancedtomato.com/dow...

    2. Re: Netgear *firmware* by corychristison · · Score: 2

      Get your ISP to put your modem/gateway into bridge mode, and put your own router between your equipment and their equipment.

    3. Re: Netgear *firmware* by corychristison · · Score: 3, Interesting

      I have built my own router in the past, and I ran pfSense.

      I used a Jetway dual gig-nic VIA-based board. I can't recall the exact model. This was back in 2007/2008 or so.

      I had one NIC for the WAN, the other for the LAN where I used an 8-port gigabit switch.

      It worked well. At the time driver support for wireless cards (for a wireless accesspoint) was basically non-existant so that was one limitation. When we started getting wireless devices in our home (blackberries at the time) we decided we should upgrade the network.

      Another problem is power consumption. The whole setup used aroud 100W.

      There are the Alix boards with multiple NICs built in, still x86 based and easy to procure that use way less power these days. If I had to do it again, this is the route I would go.

      The new higher end routers these days do offer a great value. Just do your research as to which can be flashed to Tomato/DD-WRT/OpenWRT/etc. and at least you have some control over them.

    4. Re:Netgear *firmware* by raymorris · · Score: 3, Interesting

      > In a VM though. At least that will lower the chance of potential attack vectors considerably even if a program in said VM were shit on.

      If you run your firewall / router in a VM, that means there's a physical box hosting it which is physically plugged directly into the internet, unprotected by the firewall. I'm not saying it can't be done reasonably safely, but that's certainly not my preference.

      > So, in conclusion, I'll buy an OpenWRT-compatible router and flash it on because I am lazy. :)

      Yep. I've been doing network security full time for almost twenty years and I would (and do) use OpenWRT, not only because I'm lazy, but because that's a team of people building something specifically for that role. Even with 20 years of security experience, I could overlook something regarding security and nobody would be checking my work.

      I may switch to a Cisco ASA as my first line of defense, though. I happen to have one for lab purposes. I'm not sure I want to deal with Cisco's licensing keeping the thing updated and doing everything I want it to do, though.

    5. Re: Netgear *firmware* by corychristison · · Score: 2

      I've never had a situation where it wasn't possible.

      Just this past week I argued with the tech that came to initialize my service after switching ISP's. Sure enough after calling back to his support center, they were able to do it for him remotely. After a power cycle it worked, and still works great now. So it's entirely possible if someone tells you it's not possible, there is a very good chance the tech you have just doesn't know how.

      If you have a service with IPTV then maybe its a little more complicated, but certainly still possible as I did it when I had television service 7 or 8 years ago.

  2. Re:Time for OpenWRT? by ArchieBunker · · Score: 2

    I tried OpenWRT on a cheap TP-LINK wifi router. While the feature set was impressive, it could barely manage 1/3 the throughput of the stock firmware.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  3. Re:Time for OpenWRT? by Nemyst · · Score: 2

    The R7000 (which I own) supports DD-WRT very well, so it's just a matter of installing that.

  4. Re:Good advice by Z00L00K · · Score: 2

    And it may have been utilized by malware for a long time before that.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  5. OR Try This by rotorbudd · · Score: 4, Informative

    Asuswrt-Merlin on Netgear R7000 I've been using this for several months. http://www.linksysinfo.org/ind... Just about everything that's on the ASUS routers runs on the Netgear.

    --
    A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
    1. Re:OR Try This by fedux · · Score: 2

      Asuswrt-Merlin (or XWRT or Cross-WRT) is *CLOSED SOURCE*. It's a port to the R7000 based on the open source from RMerlin, but the author of the port is refusing to provide the sources. I've contacted him and almost got him to release the source, but he later changed his mind and he's refusing to do it. That is clearly a GPL violation and even if I've asked him for the reasons to refuse to release the source code he didn't say.

  6. Anyone have any more info? by Solandri · · Score: 2

    There are a helluva lot more than 8000 Netgear routers on the Internet, which implies the vulnerability requires you to enable remote (WLAN) admin access on the router for it to be exploited externally. But neither link clarifies if this is the case.

    You'd still vulnerable from the LAN side, particularly if someone using your Internet clicks a link with the default IP address of the router coded into the URL. But the first thing I do when I get a new router is change the default IP address precisely to prevent this sort of thing, and to avoid complications from subnet address collisions when setting up VPNs. Usually something in then 10.x.x.x block.

  7. I immediately thought of OpenWRT by Bruce+Perens · · Score: 5, Interesting

    Yes, I immediately thought of OpenWRT, which I run on Netgear, Linksys, and other companies routers. I buy them brand-new and flash them before placing them in service.

    --
    Bruce Perens.
  8. Re:Time for OpenWRT? by JonathanP.Bennett · · Score: 5, Informative

    I tried OpenWRT on a cheap TP-LINK wifi router. While the feature set was impressive, it could barely manage 1/3 the throughput of the stock firmware.

    This is absolutely accurate. The reason is that the stock firmware enables hardware accelerated NAT in the switch chip. This isn't yet supported in the Linux kernel, so no support in Openwrt.

  9. Re:I've got an R8000 by AvitarX · · Score: 5, Informative

    Just go "enterprise", I got one of these https://www.ubnt.com/unifi/uni... with one of these https://www.ubnt.com/edgemax/e... for $150 or so total, it really lights up my whole house, doesn't have lots of network names for different wireless frequencies, easily isolated guest network, super long range, and if I really wanted, I could add an outdoor one and light up my backyard too.

    It wasn't perfect (you need a computer with some weird java app to seup and update the setup), but overall, I'm very happy with my results, and it didn't cost me much extra over a mid-range router ($150 vs $75).

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  10. http://<router_IP>/cgi-bin/;COMMAND by Anonymous Coward · · Score: 2, Funny

    Are you fucking kidding me?

  11. The end of Netgear? by Futurepower(R) · · Score: 5, Informative
    I sent this to Netgear management, trying to be helpful. There was no answer:

    The end of Netgear? Negative reviews about Netgear products act as powerful negative advertising. When people want to buy computer hardware, they read the reviews on Amazon and Newegg. A large percentage of the reviews of Netgear routers are extremely negative.

    Below are links to extremely negative reviews: 1) 14 extremely negative Amazon reviews and 2) 11 Netgear Forum requests for help that were ignored.

    The negative reviews reflect 3 very serious issues:

    1) Netgear does not publish sufficient information about how to configure its equipment, so many customers have severe difficulties.

    2) Netgear's equipment is, in some ways, badly designed. Users with experience with other manufacturers don't imagine that the electronic design of Netgear products makes the products so complicated to configure.

    3) Customers who post problems on the Netgear Forum often receive no help.

    Solutions

    There is an easy, quick solution: Netgear must communicate clearly. There is a long-term solution: Netgear needs to hire electronics engineers and programmers who eliminate the design problems.

    Benefits

    Sales will be much easier if Netgear becomes better at communicating. Anyone holding Netgear stock will benefit from improvements in ease of configuration of Netgear products. Netgear will be easier to manage if there is better coordination.

    I spent many hours trying to configure our Netgear routers. Eventually I found a review on Amazon that told how to correct the problem. I was trying to configure 4 FVS336Gv2 routers. (We own 8.) They worked very well for a few hours, and then dropped connections.

    I've discovered there are many other people with the same problem. I posted 2 messages on the Netgear Forum and received no reply. My experience with older Netgear routers is that they have configuration issues also, but are easier to configure than the newer routers.

    I'm an electronics design engineer and programmer. This article is a volunteer effort to try to get Netgear to improve communication with customers, so that my company will not need to change our operations to use hardware from another manufacturer.

    One example of poor communication: Customers are not told of the unusual methods necessary to make Netgear equipment work. See this example from an Amazon review:

    Be advised, Netgear Tech Support STRONGLY recommends doing a factory reset both before AND after upgrading to new firmware. ... IMHO, some of the complainers either didn't reset before and after or didn't correctly upgrade their firmware.

    That indicates that there is no internal mechanism to prevent faulty installation of firmware.

    The instructions that come with the firmware say nothing about resetting before and after.

    Customers imply that Netgear makes configuration difficult so that Netgear can charge for help. Configuration help is free for 90 days. After that Netgear charges for help. Making configuration difficult and not intuitive apparently, judging from what customers say, is a way of making more money.

    Other ideas from customer reviews:

    1) The plug-in power supplies sometimes don't provide enough power.

    2) Some Netgear routers require 4 minutes to re-start after the power is off.

    3) Some Netgear routers must be turned off for at least 2 minutes before re-starting. (That indicates that the design lacks a resistor to drain the power supply capacitor quickly after the router is unplugged.)

    4) Question: How long must the "Factory Defaults" switch be pressed before the return to factory co

    1. Re:The end of Netgear? by eclectro · · Score: 2

      This has been going on for decades. What they will do is string a customer along until they EOL the hardware so they do not have to fix the firmware problem anymore and move on to making the next piece of crap. Really people, there is ZERO reason you should be buying anything with the Netgear name new *or* used. An attorney general somewhere needs to make an example of them.

      --
      Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  12. R8000 by paul.lavoie · · Score: 2

    My R8000 running V1.0.3.4_1.1.2 (latest available) is vulnerable from the inside. However my inside network does not use the 192.x.x.x address space so good luck figuring out my inside interface IP.

  13. Re:Malicious Website? by sumdumass · · Score: 2

    This isn't a java/javascriipt or browser exploit.

    It works by being able to send commands directly to the router as part of a url request. The router's web interface will process it unauthenticated as root.

    I'm not sure how the malicious website would exploit it outside of presenting a link for you to click on as my understanding of web programing is limited to basic html and I need a cheat sheet at that. But it appears that this is within the web server inside the router so killing it off would negate the issue. But on that hand, you would have to reboot the router to log into the web page to administrate it. Alternatively, you likely could ssh or telnet into it and do it from a command shell if the ports are open.

    Here is someone who has illustrated it a bit by using the exploit to disable the web server as a temporary fix.

    http://www.sj-vs.net/a-tempora...

  14. Re:WRT54GL by LVSlushdat · · Score: 2

    DDWRT-I still have a WRT54GL in use as wireless bridge. I have several machines in the living room that don't do wifi, and I didn't want to run Cat5/6 out there so I set my old faithful WRT54GL up as a wireless bridge.. Works peachy..

    --
    THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
  15. Re:Solution: install open source firmware by bigbang137 · · Score: 2

    Does it support all the bells and whistles of the Netgear firmware? Or at least the ones having to do with wifi configuration? Is it at least just as stable with a large number of high-bandwidth clients? Is 802.11ac supported well?

  16. The reason I have Cisco and Juniper firewalls by raymorris · · Score: 4, Interesting

    I have a stack of Cisco and Juniper firewalls and routers, ASAs and ISRs. The reason I have them hooked up right now is I'm writing scripts to detect and exploit (at POC level) various vulnerabilities in them.

    Some of the vulnerabilities have fixes available, some don't. There are reasons to spend a hundred times as much on a Cisco, but security isn't a very strong reason, compared to OpenWRT. I actually trust OpenWRT more than I trust my Cisco ASA, based on my twenty years of experience.

  17. Netgear Issue page for CVE-2016-582384 by virtigex · · Score: 2

    Netgear's ongoing response to this issue is at http://kb.netgear.com/00003638...

  18. Re:I've got an R8000 by asvravi · · Score: 2

    After trying all of the consumer routers and even Ubiquity Unifi, I finally settled on RouterBoard. Better performance/price ratio compared to even Ubiquity, with fine grained control over how it operates. Can be setup with a desktop application or a direct web interface. Rock solid setup and operation. This one is basically a wireless router, so it can be configured as your main router. But at just about $120, it is inexpensive enough to be configured and used for additional wireless access points spread across the house.