Slashdot Mirror
Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers (securityledger.com)
"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT.
Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers:
Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.
With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
Stop using Netgear firmware. I operate under the assumption that the stock firmware on any consumer wireless device is probably a bug riddled privacy disaster and replace it with something sane ASAP.
Obviously, that sucks for people who can't dabble in firmware replacements, but there's a limit to what I can fix...
Log in or piss off.
Asuswrt-Merlin on Netgear R7000 I've been using this for several months. http://www.linksysinfo.org/ind... Just about everything that's on the ASUS routers runs on the Netgear.
A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
Yes, I immediately thought of OpenWRT, which I run on Netgear, Linksys, and other companies routers. I buy them brand-new and flash them before placing them in service.
Bruce Perens.
I tried OpenWRT on a cheap TP-LINK wifi router. While the feature set was impressive, it could barely manage 1/3 the throughput of the stock firmware.
This is absolutely accurate. The reason is that the stock firmware enables hardware accelerated NAT in the switch chip. This isn't yet supported in the Linux kernel, so no support in Openwrt.
Just go "enterprise", I got one of these https://www.ubnt.com/unifi/uni... with one of these https://www.ubnt.com/edgemax/e... for $150 or so total, it really lights up my whole house, doesn't have lots of network names for different wireless frequencies, easily isolated guest network, super long range, and if I really wanted, I could add an outdoor one and light up my backyard too.
It wasn't perfect (you need a computer with some weird java app to seup and update the setup), but overall, I'm very happy with my results, and it didn't cost me much extra over a mid-range router ($150 vs $75).
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
The end of Netgear? Negative reviews about Netgear products act as powerful negative advertising. When people want to buy computer hardware, they read the reviews on Amazon and Newegg. A large percentage of the reviews of Netgear routers are extremely negative.
Below are links to extremely negative reviews: 1) 14 extremely negative Amazon reviews and 2) 11 Netgear Forum requests for help that were ignored.
The negative reviews reflect 3 very serious issues:
1) Netgear does not publish sufficient information about how to configure its equipment, so many customers have severe difficulties.
2) Netgear's equipment is, in some ways, badly designed. Users with experience with other manufacturers don't imagine that the electronic design of Netgear products makes the products so complicated to configure.
3) Customers who post problems on the Netgear Forum often receive no help.
Solutions
There is an easy, quick solution: Netgear must communicate clearly. There is a long-term solution: Netgear needs to hire electronics engineers and programmers who eliminate the design problems.
Benefits
Sales will be much easier if Netgear becomes better at communicating. Anyone holding Netgear stock will benefit from improvements in ease of configuration of Netgear products. Netgear will be easier to manage if there is better coordination.
I spent many hours trying to configure our Netgear routers. Eventually I found a review on Amazon that told how to correct the problem. I was trying to configure 4 FVS336Gv2 routers. (We own 8.) They worked very well for a few hours, and then dropped connections.
I've discovered there are many other people with the same problem. I posted 2 messages on the Netgear Forum and received no reply. My experience with older Netgear routers is that they have configuration issues also, but are easier to configure than the newer routers.
I'm an electronics design engineer and programmer. This article is a volunteer effort to try to get Netgear to improve communication with customers, so that my company will not need to change our operations to use hardware from another manufacturer.
One example of poor communication: Customers are not told of the unusual methods necessary to make Netgear equipment work. See this example from an Amazon review:
That indicates that there is no internal mechanism to prevent faulty installation of firmware.
The instructions that come with the firmware say nothing about resetting before and after.
Customers imply that Netgear makes configuration difficult so that Netgear can charge for help. Configuration help is free for 90 days. After that Netgear charges for help. Making configuration difficult and not intuitive apparently, judging from what customers say, is a way of making more money.
Other ideas from customer reviews:
1) The plug-in power supplies sometimes don't provide enough power.
2) Some Netgear routers require 4 minutes to re-start after the power is off.
3) Some Netgear routers must be turned off for at least 2 minutes before re-starting. (That indicates that the design lacks a resistor to drain the power supply capacitor quickly after the router is unplugged.)
4) Question: How long must the "Factory Defaults" switch be pressed before the return to factory co
I have a stack of Cisco and Juniper firewalls and routers, ASAs and ISRs. The reason I have them hooked up right now is I'm writing scripts to detect and exploit (at POC level) various vulnerabilities in them.
Some of the vulnerabilities have fixes available, some don't. There are reasons to spend a hundred times as much on a Cisco, but security isn't a very strong reason, compared to OpenWRT. I actually trust OpenWRT more than I trust my Cisco ASA, based on my twenty years of experience.