Netgear Releases 'Beta' Patches For Additional Routers Found With Root Vulnerability

The Department of Homeland Security's CERT issued a warning last week that users should "strongly consider" not using some models of NetGear routers, and the list expanded this week to include 11 different models. Netgear's now updated their web page, announcing eight "beta" fixes, along with three more "production" fixes. chicksdaddy writes: The company said the new [beta] firmware has not been fully tested and "might not work for all users." The company offered it as a "temporary solution" to address the security hole. "Netgear is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible," the company said in a post to its online knowledgebase early Tuesday.

The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious "arbitrary command injection" vulnerability in the latest version of firmware used by a number of Netgear wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site... The vulnerability was discovered by an individual...who says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

Fail

[Joce640k]

...says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

How many times...?

It's time to reinstate public hangings for this offense, IMHO.

Re:Fail

[Billly+Gates]

Notice DNSChanger impacting 1 in 5 restaurants and tens of millions of people before they came out with a fix?

Lack of trusted options conveniently available?

[raymorris]

I've been doing network security professionally for 20 years, and my primary home router is a Netgear. Your post prompted me to ask "why do *I*, knowing better, run a Netgear?

When my last router died, I didn't want to wait a week to have an OpenWRT based router from inet.com delivered. I wanted to get back online right away. I didn't want to pay for an up-to-data Cisco ASA, including additional fees for feature licenses. So like most people I went to the store and bought something available right away. If one of routers on the shelf was labeled "Security Certified by US-CERT", I probably would have bought it. There are no such labels on the packages. The choices to get back online today are pretty much:
Netgear
Linksys
Random off-brand

It's hard to know that one of those is clearly better than the others. Obviously Netgear and Linksys have advantages over off-brand stuff.

What I probably should have done, and in fact tried to do, was install OpenWRT on an available Linksys or Netgear that works very well with OpenWRT, using a mainstream build that is updated regularly. Unfortunately the OpenWRT web site doesn't make it easy to figure out which models are best, which ones "just work" without annoying little issues. So I had a router which will boot OpenWRT, but who knows whether it works smoothly and reliably.

Also, in order to make sure the hardware even works properly, I had to set it up with the default firmware first, in case I needed to return it. So I have a router that's working fine with the default firmware. Of the 450 items on my TODO list, "install OpenWRT" isn't top priority. I'd like to get that done, but I have probably 40 other tasks with higher priority to do first.

Possible solutions therefore include a reputable security certification on routers that are actually available in stores, or a clear list of "10 well supported routers for 2016" for the reliable firmware projects.

Anybody here a writer? A guide to which router to buy for *wrt could be popular with a lot of nerds.

Re:Lack of trusted options conveniently available?

[TheGratefulNet]

search on mcdebian for linksys wifi router.

its real debian, with apt-get update and all that. to me, its far better than openwrt.

you use a usb thumbdrive as the root fs and you flash the os bootloader to system flash.

its not well known, but maybe it should be.

Re:Lack of trusted options conveniently available?

[Woldscum]

I started with a wrt54g and DD WRT like everyone else. Then a Buffalo Networks N with factory DD WRT that died from a cracked board around the power plug. I went with a R7000 and always meant to flash DD WRT on it. I finally did. Two big issues with DD WRT on the R7000. It kills the WAP button on the router. No big deal until I realized my Cannon MG3200 printer will not/can not connect to a wireless network without WAP. DD WRT also DOES NOT support the USB3 port on the front of the router. So that is dead. I was able to connect the printer to the USB2 port on the back of the router. And add the printer as a TCP/IP printer (192.168.1.1). Then let windows printer installer find it. BUT going this route kills Apple Air Print and the printer goes to sleep and needs to be powered on to use it.

Re:Lack of trusted options conveniently available?

[mtaht]

The five most commonly used routers in the bufferbloat project for reflashing with lede are: low end: netgear wndr3800 less low end: tp-link archer c7v2 midrange: ubntlite, edgerouter higher end: apu2 + ath9k and ath10 wifi cards The turris omnia is becoming worth looking at, also.

Re:Lack of trusted options conveniently available?

[un1nsp1red]

There may be better options, but (at least some) Asus routers come with DD-WRT out of the box. My Asus RT-N66R (no AC and due for replacement, but it's still solid) runs DD-WRT and still receives regular firmware updates all these years later. It's also relatively easy to switch to other variants (e.g., Tomato). I'm moving to a new house and have been wanting to give Ubiquiti products a try, but if I had a similar situation where I wanted to get back up and running with as little downtime as possible, I'd definitely pick up another Asus.

Re:Lack of trusted options conveniently available?

[Billly+Gates]

Asus has been in the news often this year on security holes in their routers. Go Google it? I purposely avoided them and bought a Linksys ac1900 which are their modern version of the WRT of last decade. It supports Tomato

Re:Lack of trusted options conveniently available?

[un1nsp1red]

I looked, but I don't see anything recent. It's still getting regular patches and I don't use whatever 'cloud thing' some of the older posts mentioned. Anyway, are we talking hardware or software vulnerabilities? If it's in unpatched software, I don't see how different hardware is going to make a difference.

Re: People still buy Netgear?

[buchanmilne]

I have used a Netgear before (ISP-supplied DSL modem), but I always:
- Use a non-default subnet on the LAN where user devices reside
- Use a generic linux distribution that receives regular updates as the internet gateway (running the PPPoE session, recursive DNS and DHCP etc. from the Linux instance)
- Isolate the modem from the user devices (since it is not the gateway) if it isn't required as the AP as well

Of course, this isn't a complete solution nor one that is suitable for most end users, and costs more than using an all-in-one solution, but avoids easy attacks that work against most users.

Beta firmware...

[webmistressrachel]

...well at least if the firmware bricks your router, the hole will be closes... and no further data can get off your LAN onto the WAN via the fixed router...

Re:People still buy Netgear?

[SEE]

Well, I bought "this crap" (that is, a Netgear router) because it was a dual-band AC router, supported by my favored third-party firmware, on sale for under $60.

I didn't give a crap about any deficiencies in the native firmware because I was using my own.

Dave Taht (of bufferbloat fame) has a better idea

[davecb]

reflashing with openwrt/lede/dd-wrt, https://plus.google.com/107942...

Non-default network is a great idea (I do that)

[raymorris]

Switching the router to use something other than 192.168.1.0 sure is easy, and will stop many attacks which hardcode 192.168.1.1. That's a great idea.

Netgear could improve. Improving would be easy.

[Futurepower(R)]

My extensive post to a previous story about Netgear, hoping to help Netgear improve: The end of Netgear?

Avast was alerting to this

[Sir+Foxx]

I had a NG 3800 for a long time and Avast started alerting to vulnerability thru it's network scan. NG was no longer supporting the 3800, so I used Avast workaround for a bit, but this year upgraded to the NG Nighthawk 1750 AC 6700, thinking that since was supported by NG and relatively newish router, that they had fixed the problem. Lo and behold, same alert came up through Avast. I contacted NG about it and was told that it was a false alert by Avast. Contacted Avast and they told me that NG is lying. Used the firmware patch yesterday and now Avast says my Network is SECURE and no problems. NG can fuck themselves. Is it difficult to flash the DD WRT to this router?(I'll research this myself also). And is there any tips anyone has for me, when doing this?

Netgear VPN still has non-resettable keys

[DigitAl56K]

I have found Netgear to be no worse than any other consumer router manufacturer, and better than several. Many manufacturers have had similar vulnerabilities in recent years, at least they have (finally) responded, albeit under the perception that it is perhaps due to the bad press.

That said, I'm posting here to call them out for STILL not having any means to generate fresh VPN keys on their routers. If your VPN profile security was every in question there is nothing you could do about it short of buying a new router. And frankly, since you have no idea about the state of the keys that came from the factory, it should be.

Netgear, pleas add a button to the web console to generate new VPN keys with a decent key size, and make sure the old ones are wiped/revoked.