Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netgear Releases 'Beta' Patches For Additional Routers Found With Root Vulnerability (netgear.com)

Posted by EditorDavid on from the but-they-might-not-work dept.

The Department of Homeland Security's CERT issued a warning last week that users should "strongly consider" not using some models of NetGear routers, and the list expanded this week to include 11 different models. Netgear's now updated their web page, announcing eight "beta" fixes, along with three more "production" fixes. chicksdaddy writes: The company said the new [beta] firmware has not been fully tested and "might not work for all users." The company offered it as a "temporary solution" to address the security hole. "Netgear is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible," the company said in a post to its online knowledgebase early Tuesday.

The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious "arbitrary command injection" vulnerability in the latest version of firmware used by a number of Netgear wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site... The vulnerability was discovered by an individual...who says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

26 comments

  1. Fail by Joce640k · · Score: 1

    ...says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

    How many times...?

    It's time to reinstate public hangings for this offense, IMHO.

    --
    No sig today...
    1. Re:Fail by Billly+Gates · · Score: 1

      Notice DNSChanger impacting 1 in 5 restaurants and tens of millions of people before they came out with a fix?

      --
      http://saveie6.com/
  2. People still buy Netgear? by Anonymous Coward · · Score: 0

    Why are people still buying this crap? Netgear demonstrated that they are willing to cover up a backdoor, not remove it and be sorry for it, but HIDE IT BETTER!

    1. Re: People still buy Netgear? by buchanmilne · · Score: 1

      I have used a Netgear before (ISP-supplied DSL modem), but I always:
      - Use a non-default subnet on the LAN where user devices reside
      - Use a generic linux distribution that receives regular updates as the internet gateway (running the PPPoE session, recursive DNS and DHCP etc. from the Linux instance)
      - Isolate the modem from the user devices (since it is not the gateway) if it isn't required as the AP as well

      Of course, this isn't a complete solution nor one that is suitable for most end users, and costs more than using an all-in-one solution, but avoids easy attacks that work against most users.

    2. Re:People still buy Netgear? by SEE · · Score: 1

      Well, I bought "this crap" (that is, a Netgear router) because it was a dual-band AC router, supported by my favored third-party firmware, on sale for under $60.

      I didn't give a crap about any deficiencies in the native firmware because I was using my own.

  3. Lack of trusted options conveniently available? by raymorris · · Score: 1

    I've been doing network security professionally for 20 years, and my primary home router is a Netgear. Your post prompted me to ask "why do *I*, knowing better, run a Netgear?

    When my last router died, I didn't want to wait a week to have an OpenWRT based router from inet.com delivered. I wanted to get back online right away. I didn't want to pay for an up-to-data Cisco ASA, including additional fees for feature licenses. So like most people I went to the store and bought something available right away. If one of routers on the shelf was labeled "Security Certified by US-CERT", I probably would have bought it. There are no such labels on the packages. The choices to get back online today are pretty much:
    Netgear
    Linksys
    Random off-brand

    It's hard to know that one of those is clearly better than the others. Obviously Netgear and Linksys have advantages over off-brand stuff.

    What I probably should have done, and in fact tried to do, was install OpenWRT on an available Linksys or Netgear that works very well with OpenWRT, using a mainstream build that is updated regularly. Unfortunately the OpenWRT web site doesn't make it easy to figure out which models are best, which ones "just work" without annoying little issues. So I had a router which will boot OpenWRT, but who knows whether it works smoothly and reliably.

    Also, in order to make sure the hardware even works properly, I had to set it up with the default firmware first, in case I needed to return it. So I have a router that's working fine with the default firmware. Of the 450 items on my TODO list, "install OpenWRT" isn't top priority. I'd like to get that done, but I have probably 40 other tasks with higher priority to do first.

    Possible solutions therefore include a reputable security certification on routers that are actually available in stores, or a clear list of "10 well supported routers for 2016" for the reliable firmware projects.

    Anybody here a writer? A guide to which router to buy for *wrt could be popular with a lot of nerds.

    1. Re:Lack of trusted options conveniently available? by TheGratefulNet · · Score: 4, Informative

      search on mcdebian for linksys wifi router.

      its real debian, with apt-get update and all that. to me, its far better than openwrt.

      you use a usb thumbdrive as the root fs and you flash the os bootloader to system flash.

      its not well known, but maybe it should be.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Lack of trusted options conveniently available? by Anonymous Coward · · Score: 0

      Seriously, anything other than Netgear and Linksys is "random off-brand"? Just reflash nearly anything of the shelf with OpenWRT, or try Ubiquiti if you're lazy, hell, even Mikrotik if you trust them and don't want to spend anything. It doesn't take too long to do for a professional (which apparently you are) and the benefits of securing your own network should be obvious to someone "doing network security professionally for 20 years", even if it's to stop your own equipment being used in other attacks.

    3. Re:Lack of trusted options conveniently available? by Woldscum · · Score: 1

      I started with a wrt54g and DD WRT like everyone else. Then a Buffalo Networks N with factory DD WRT that died from a cracked board around the power plug. I went with a R7000 and always meant to flash DD WRT on it. I finally did. Two big issues with DD WRT on the R7000. It kills the WAP button on the router. No big deal until I realized my Cannon MG3200 printer will not/can not connect to a wireless network without WAP. DD WRT also DOES NOT support the USB3 port on the front of the router. So that is dead. I was able to connect the printer to the USB2 port on the back of the router. And add the printer as a TCP/IP printer (192.168.1.1). Then let windows printer installer find it. BUT going this route kills Apple Air Print and the printer goes to sleep and needs to be powered on to use it.

    4. Re:Lack of trusted options conveniently available? by mtaht · · Score: 1

      The five most commonly used routers in the bufferbloat project for reflashing with lede are: low end: netgear wndr3800 less low end: tp-link archer c7v2 midrange: ubntlite, edgerouter higher end: apu2 + ath9k and ath10 wifi cards The turris omnia is becoming worth looking at, also.

    5. Re:Lack of trusted options conveniently available? by un1nsp1red · · Score: 1

      There may be better options, but (at least some) Asus routers come with DD-WRT out of the box. My Asus RT-N66R (no AC and due for replacement, but it's still solid) runs DD-WRT and still receives regular firmware updates all these years later. It's also relatively easy to switch to other variants (e.g., Tomato). I'm moving to a new house and have been wanting to give Ubiquiti products a try, but if I had a similar situation where I wanted to get back up and running with as little downtime as possible, I'd definitely pick up another Asus.

    6. Re:Lack of trusted options conveniently available? by Billly+Gates · · Score: 1

      Asus has been in the news often this year on security holes in their routers. Go Google it? I purposely avoided them and bought a Linksys ac1900 which are their modern version of the WRT of last decade. It supports Tomato

      --
      http://saveie6.com/
    7. Re:Lack of trusted options conveniently available? by Anonymous Coward · · Score: 0

      The Netgear Centria models came with openwrt installed. That was a major deciding factor for me.

    8. Re:Lack of trusted options conveniently available? by un1nsp1red · · Score: 1

      I looked, but I don't see anything recent. It's still getting regular patches and I don't use whatever 'cloud thing' some of the older posts mentioned. Anyway, are we talking hardware or software vulnerabilities? If it's in unpatched software, I don't see how different hardware is going to make a difference.

  4. Beta firmware... by webmistressrachel · · Score: 1

    ...well at least if the firmware bricks your router, the hole will be closes... and no further data can get off your LAN onto the WAN via the fixed router...

    --
    This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
  5. Dave Taht (of bufferbloat fame) has a better idea by davecb · · Score: 1

    reflashing with openwrt/lede/dd-wrt, https://plus.google.com/107942...

    --
    davecb@spamcop.net
  6. Non-default network is a great idea (I do that) by raymorris · · Score: 1

    Switching the router to use something other than 192.168.1.0 sure is easy, and will stop many attacks which hardcode 192.168.1.1. That's a great idea.

  7. DNSChanger type attacks = nullified by hosts by Anonymous Coward · · Score: 0

    See subject & 2 ways: 1st by bypassing DNS + all its security issues altogether for your favorite sites you make 'hardcoded' @ top of hosts & secondly by NOT LETTING YOU GET THESE bogus machinations IN THE 1st PLACE BY BLOCKING ACCESS TO THEM (or phish email links for 'targetted attacks').

    * FACT!

    (Your IP stack bypasses routers since it gets requests 1st & since you don't NEED dns for your favorite sites? There ya go - DIRECT - plus again, can't be harmed by what you can't touch (or when it can't touch you) so hosts blocking facilities make my claims here reality...)

    APK

    P.S.=> For the BEST custom hosts file creation system (for more speed, security, reliability & anonymity using what you already NATIVELY have that does FAR more for FAR less)? APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

  8. Stupid question from non techie.. by Anonymous Coward · · Score: 0

    I have a n600 (v2) old router from net gear, after first reading here about the problems, I did some research last week and installed dd-wrt on it. I also bridged the dsl modem (live in the sticks, no other option).

    Am I protected now, or do these exploits still work because am using the net gear router?

  9. Does the firewalling router have DNS settings? by Anonymous Coward · · Score: 0

    See subject: Use 'em (& if it has no known firmware security issues) I don't see why not. DSL modem's a "dummy passthru" now so the "REAL BRAIN" is your firewalling router w/ your modem in bridged mode.

    APK

    P.S.=> That'd be MY take on it & why - others may disagree but I'd like to see their justifications vs. what I just stated... apk

  10. Netgear could improve. Improving would be easy. by Futurepower(R) · · Score: 2

    My extensive post to a previous story about Netgear, hoping to help Netgear improve: The end of Netgear?

  11. Avast was alerting to this by Sir+Foxx · · Score: 1

    I had a NG 3800 for a long time and Avast started alerting to vulnerability thru it's network scan. NG was no longer supporting the 3800, so I used Avast workaround for a bit, but this year upgraded to the NG Nighthawk 1750 AC 6700, thinking that since was supported by NG and relatively newish router, that they had fixed the problem. Lo and behold, same alert came up through Avast. I contacted NG about it and was told that it was a false alert by Avast. Contacted Avast and they told me that NG is lying. Used the firmware patch yesterday and now Avast says my Network is SECURE and no problems. NG can fuck themselves. Is it difficult to flash the DD WRT to this router?(I'll research this myself also). And is there any tips anyone has for me, when doing this?

    --
    "I don't which is worse, that everyone has a price, or that the price is always so low"--Hobbes
  12. Serious? by Anonymous Coward · · Score: 0

    There is no way this could happen, its netgear. If people are still using this old piece of shit hardware you should hand me you wallet and purses, its safer

  13. Archaic by Anonymous Coward · · Score: 0

    I won't even allow netgear on my network, at home or at work. To slow. and how can this be news?

  14. Netgear VPN still has non-resettable keys by DigitAl56K · · Score: 1

    I have found Netgear to be no worse than any other consumer router manufacturer, and better than several. Many manufacturers have had similar vulnerabilities in recent years, at least they have (finally) responded, albeit under the perception that it is perhaps due to the bad press.

    That said, I'm posting here to call them out for STILL not having any means to generate fresh VPN keys on their routers. If your VPN profile security was every in question there is nothing you could do about it short of buying a new router. And frankly, since you have no idea about the state of the keys that came from the factory, it should be.

    Netgear, pleas add a button to the web console to generate new VPN keys with a decent key size, and make sure the old ones are wiped/revoked.

  15. 80% solution by Anonymous Coward · · Score: 0

    I worked with Pat Lazar, Netgear's Director of Engineering, at an earlier employer of his. He was known around the company as an "80% guy" who also thought he was the smartest guy in the room. Basically, he'd bang out an 80% solution quickly and then move on. Good for iOS apps and TV remote controls, not good for high-availability systems and security-critical devices like routers. Guess the corporate culture mirrors his own approach to engineering... sigh...