Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Wireless Networking Networking Security Hardware

Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers (securityledger.com) 147

"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT. Slashdot reader chicksdaddy quotes Security Ledger's story about certain models of Netgear's routers: Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited "community reports" that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable... The flaw was found in new firmware that runs the Netgear R7000 and R6400 routers. Other models and firmware versions may also be affected, including the R8000 router, CMU CERT warned.

With no work around to the flaw, CERT recommended that Netgear customers disable their wifi router until a software patch from the company that addressed the hole was available... A search of the public internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.

Proof-of-concept exploit code was released by a Twitter user who, according to the article, said "he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then."
This discussion has been archived. No new comments can be posted.

Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers

Comments Filter:
  • Netgear *firmware* (Score:5, Insightful)

    by c ( 8461 ) <beauregardcp@gmail.com> on Sunday December 11, 2016 @01:44PM (#53464103)

    Stop using Netgear firmware. I operate under the assumption that the stock firmware on any consumer wireless device is probably a bug riddled privacy disaster and replace it with something sane ASAP.

    Obviously, that sucks for people who can't dabble in firmware replacements, but there's a limit to what I can fix...

    • by Bruce Perens ( 3872 ) <bruce@perens.com> on Sunday December 11, 2016 @02:26PM (#53464303) Homepage Journal

      Yes, I immediately thought of OpenWRT, which I run on Netgear, Linksys, and other companies routers. I buy them brand-new and flash them before placing them in service.

    • Re: (Score:2, Informative)

      by SEE ( 7681 )

      Yep. The R6400 and R7000 are both supported by both DD-WRT, and Tomato by Shibby. I think OpenWRT only supports the R7000

    • DDWRT... At least you can be generally comfortable that the firmware has been checked for exploitable holes and is relatively safe to use. Anyone care to bet that Netgear is NOW working on a patch finally?
    • +1. The R7k is BRILLIANT running a custom DD-WRT build, and I am using largely the same running config that I've been using for the last half decade across 3 different devices. And my brother has the previous device, and while he probably couldn't handle a bricked device like I could, he is more than capable of following updates for the build I found for him.
  • I was just complaining in a message thread on Facebook earlier today about Netgear product issues. (Netgear had some corporate shill trying to talk up their product line on there, and promptly got a slew of negative comments about support issues and hardware problems with their products. I had to chime in with my bad experience of a whole group of ProSafe smart switches that failed shortly outside the warranty period, thanks to defective power adapters included with them. Netgear wanted to charge more for a

  • OR Try This (Score:5, Informative)

    by rotorbudd ( 1242864 ) on Sunday December 11, 2016 @02:21PM (#53464281)
    Asuswrt-Merlin on Netgear R7000 I've been using this for several months. http://www.linksysinfo.org/ind... [linksysinfo.org] Just about everything that's on the ASUS routers runs on the Netgear.
    • by fedux ( 262863 )

      Asuswrt-Merlin (or XWRT or Cross-WRT) is *CLOSED SOURCE*. It's a port to the R7000 based on the open source from RMerlin, but the author of the port is refusing to provide the sources. I've contacted him and almost got him to release the source, but he later changed his mind and he's refusing to do it. That is clearly a GPL violation and even if I've asked him for the reasons to refuse to release the source code he didn't say.

  • by Solandri ( 704621 ) on Sunday December 11, 2016 @02:25PM (#53464297)
    There are a helluva lot more than 8000 Netgear routers on the Internet, which implies the vulnerability requires you to enable remote (WLAN) admin access on the router for it to be exploited externally. But neither link clarifies if this is the case.

    You'd still vulnerable from the LAN side, particularly if someone using your Internet clicks a link with the default IP address of the router coded into the URL. But the first thing I do when I get a new router is change the default IP address precisely to prevent this sort of thing, and to avoid complications from subnet address collisions when setting up VPNs. Usually something in then 10.x.x.x block [wikipedia.org].
    • by WD ( 96061 )

      It's remotely exploitable with no user interaction if the web admin stuff is exposed to the internet. If the remote web admin is not enabled, then it's exploitable as the result of a user on the network viewing a malicious or compromised website.

      Changing the IP address or subnet of your router will only stop the laziest/inept of attackers.

  • There is absolutely no reason to keep using the stock firmware (other than laziness), and many reasons not to (see this story). If you don't know where to start: https://www.dd-wrt.com/wiki/in... [dd-wrt.com]

    • Does it support all the bells and whistles of the Netgear firmware? Or at least the ones having to do with wifi configuration? Is it at least just as stable with a large number of high-bandwidth clients? Is 802.11ac supported well?
      • by Zmobie ( 2478450 )

        DD-WRT actually has much better feature support than the stock firmware for most of the Netgear line. Their menu's are way easier to navigate too... Mine is very stable (been running for over a year on it) and from the research I've done anything in the R6000 and R7000 line is this way, and they absolutely support ac very well (dual bandwidth on mine, and newer versions actually support directional focusing if the hardware can handle it.

  • Comment removed based on user account deletion
    • If you can't afford a decent router from a decent company - then rent one from your ISP. At least then security and support issues will be your ISP's problem.

      The problem is most ISP's don't give a fuck if you get hacked and they hand you some Netgear AIO modem/router thats garbage to start with and you cant even flash it because AIO devices aren't supported by ANY of the OSS firmware options. If your'e a consumer concerned with safety of your internet devices and don't have the knowledge/skill to find and flash a compatible router, than buy Buffalo Routers. Most of their routers come Pre-Installed with DD-WRT and yes they have a modified version but you can easi

  • I have a Netgear DGN2200M and the exploit (as described in the article) doesn't work on my router thankfully.

  • by Anonymous Coward

    Are you fucking kidding me?

  • Is not effected. The CERT link is kind of crap but they have reference links at the bottom which have more meat including a PoF you can do easily (http://RouterIP/;telnetd$IFS-p$IFS'45' is supposed to open telnet on port 45).

    FTFA references [exploit-db.com]

    • by Anonymous Coward

      You have to add /cgi-bin

      http://RouterIP/cgi-bin/;telnetd$IFS-p$IFS'45'

    • by Anonymous Coward

      The PoC code is incorrect. Add /cgi-bin to the URL like in the example 2 lines above in description of vulnerability and it will most probably work. My R7000 with latest V1.0.7.2_1.1.93 is vulnerable. And yes, I'm not logged in already to the router website. The cgi-bin URL simply doesn't check for http auth.

  • My R8000 running V1.0.3.4_1.1.2 (latest available) is vulnerable from the inside. However my inside network does not use the 192.x.x.x address space so good luck figuring out my inside interface IP.
    • by WD ( 96061 )

      That's what WebRTC is for. After determine your computer's internal address, it's pretty trivial to guess (or bruteforce) your router's address.

    • by Anonymous Coward
      If I'm on your inside network, all I have to do is look at my gateway your router just gave me. How hard is that?
    • by b0bby ( 201198 )

      My R8000 running V1.0.3.4_1.1.2 (latest available) is vulnerable from the inside. However my inside network does not use the 192.x.x.x address space so good luck figuring out my inside interface IP.

      You don't need to bother trying to figure it out - as I posted above, on my R6400 there's a magic address which the router will grab and use for its interface. So all the malicious code needs is to try http://routerlogin.net/ [routerlogin.net] - if you're using one of the Netgears, that's the admin interface.

  • It damn well should be!

    There needs to be a policing/standards body for ensuring secure hardware &software platforms/interfaces.

    Basically testing for security compliance of any product that can communicate over a network.

    I'll put it on my Santa wish list

  • I encourage everyone to let Netgear management know what a great job they're doing: https://www.netgear.com/about/... [netgear.com] AFIK, their email address format is typically Firstname.Lastname@netgear.com.
  • I think a new law is needed making it legal for the government to hack devices/computers for the purposes of disabling them.

    Furthermore internet enabled devices might necessitate an FCC mandated kill switch. I can see it using both a push and pull mechanism. Push where the devices are directly connected to the internet and pull from behind a firewall where the devices must periodically check an FCC site to see if it should disable itself in as graceful as way possible such as maybe disabling network connect

    • Yeah, that'll work. It'll never be abused. :)

      I'd rather not give the government the legal authority to remotely screw me over for "internet safety" or some such nonsense.

  • Netgear is the McDonald's of routers. Personally, I only use Draytek [draytekusa.com] routers. Have had great success with them where Netgear, Linksys, D-Link, and Cisco have all failed miserably.
  • by virtigex ( 323685 ) on Monday December 12, 2016 @12:55AM (#53467091)
    Netgear's ongoing response to this issue is at http://kb.netgear.com/00003638... [netgear.com]
    • Also, you probably should not leave yourself logged into the router. I get a '401 unauthorized' when trying the exploit.
  • Why should I worry?
  • I had a problem with a Netgear router not being able to remember DHCP to MAC assignments. This was a problem in the version of dnsmasq baked into the firmware, but that had been fixed in the current version of dnsmasq. So I called up technical support to ask if there was a later version of the firmware, or source code I could rebuild from. After about 40minutes of going through a completely useless script. ("No I won't click the start button, Debian doesn't have one, you insensitive clod.") I gave up and eB

  • Netgear published on 12/13/2016 a beta firmware which claims to address the issue (haven't tested). As of this moment, the router will not, by default, prompt installation of beta firmware. http://kb.netgear.com/00003645... [netgear.com]

"Well, social relevance is a schtick, like mysteries, social relevance, science fiction..." -- Art Spiegelman

Working...