PSA: Power off Netgear R6400 / R7000 / R8000until new firmware released

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › PSA: Power off Netgear R6400 / R7000 / R8000until new firmware released

Lias

3574 posts

Uber Geek
+1 received by user: 2037

Trusted

Lifetime subscriber

Topic # 206153 12-Dec-2016 08:49

One person supports this post

There is an unpatched vulnerability in these that allows remote command injection, and public exploit code for said vulnerability.

Full details at https://www.kb.cert.org/vuls/id/582384

Confirmed to be an issue on the R6400/R7000 models, but as per the CERT entry at least one firmware revision of the R8000 is vulnerable according to community reports and other Netgear routers may be vulnerable.

Information wants to be free. The Net interprets censorship as damage and routes around it.

allio

494 posts

Ultimate Geek
+1 received by user: 272

Reply # 1686346 12-Dec-2016 09:12

One person supports this post

By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND

Wow. That has to be one of the biggest security holes out there.

If you're running stock firmware, may I suggest now would be a good time to try out some third-party alternatives? AdvancedTomato had an uptime of about 200 days on my R7000 until a power cut the other night.

hio77

'That VDSL Cat'
9424 posts

Uber Geek
+1 received by user: 2136

Trusted

Spark

Subscriber

Reply # 1686349 12-Dec-2016 09:19

Scary flaw to have in there in this day and ages.

Ammazed that something so simple still stands in routers.. surely we learnt from back in the day when this first came out?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

michaelmurfy

Mr Snotty
8302 posts

Uber Geek
+1 received by user: 4272

Moderator

Trusted

Lifetime subscriber

Reply # 1686357 12-Dec-2016 09:47

2 people support this post

With most of these routers flash with Advanced Tomato and be done with it. This is bad...

The likleyhood of an attack is slim however as this has to be exploited client side. With the Marai botnet doing its rounds it wouldn't surprise me if it was able to send phishing emails out hoping to get more victims. There is already this same exploit for some TP-LINK and DLINK routers with unpatched firmware (this is going back a few years).

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

hio77

'That VDSL Cat'
9424 posts

Uber Geek
+1 received by user: 2136

Trusted

Spark

Subscriber

Reply # 1686360 12-Dec-2016 09:50

michaelmurfy:

With most of these routers flash with Advanced Tomato and be done with it. This is bad...

The likleyhood of an attack is slim however as this has to be exploited client side. With the Marai botnet doing its rounds it wouldn't surprise me if it was able to send phishing emails out hoping to get more victims. There is already this same exploit for some TP-LINK and DLINK routers with unpatched firmware (this is going back a few years).

as its only over http, it's easily exploited over a iframe or js remember..

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

freitasm

BDFL - Memuneh
62273 posts

Uber Geek
+1 received by user: 12817

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1686396 12-Dec-2016 10:34

3 people support this post

At the end of the day I don't see any of these manufacturers giving a damn.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

Lias

3574 posts

Uber Geek
+1 received by user: 2037

Trusted

Lifetime subscriber

Reply # 1686467 12-Dec-2016 11:24

I'm not sure how many people here will be running stock firmware, but plenty of not so technical people who brought them from Noel Leemings etc will be.

Information wants to be free. The Net interprets censorship as damage and routes around it.

trig42

Banana?
4580 posts

Uber Geek
+1 received by user: 1123

Subscriber

Reply # 1686494 12-Dec-2016 12:23

I'm running stock on an R7000.

No chance I will run anything from a website I don't know. Will look at putting the Tomato on it this weekend.

Skillie

191 posts

Master Geek
+1 received by user: 14

Reply # 1686633 12-Dec-2016 18:49

trig42:

I'm running stock on an R7000.

No chance I will run anything from a website I don't know. Will look at putting the Tomato on it this weekend.

Maybe using a non-standard IP address for the router (and dhcp server) could offer some interim defense - see details here - http://routersecurity.org/ipaddresses.php

Skillie

191 posts

Master Geek
+1 received by user: 14

Reply # 1686642 12-Dec-2016 18:54

Computerworld has a detailed article (and how to test your router's vulnerability) here - http://www.computerworld.com/article/3148680/networking/easily-exploited-netgear-router-flaw-discovered.html

Skillie

191 posts

Master Geek
+1 received by user: 14

Reply # 1686645 12-Dec-2016 18:57

And a suggested 2 step temporary fix here - http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/

lNomNoml

1043 posts

Uber Geek
+1 received by user: 215

Reply # 1687840 14-Dec-2016 18:56

allio:

By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND

Wow. That has to be one of the biggest security holes out there.

If you're running stock firmware, may I suggest now would be a good time to try out some third-party alternatives? AdvancedTomato had an uptime of about 200 days on my R7000 until a power cut the other night.

Interesting, I've never put 3rd party firmware on before, will give this a try thanks.

Actually after seeing people complain about the WiFi range and speed being worse on this, I think I'll just stick with stock and just install the beta patch. :D

lNomNoml

1043 posts

Uber Geek
+1 received by user: 215

Reply # 1692078 19-Dec-2016 10:41

There are now a few production firmware fixes available for anyone interested: Linky

Skillie

191 posts

Master Geek
+1 received by user: 14

Reply # 1693862 22-Dec-2016 14:39

Updated all my R7000s (Router, WiFi Bridge & AP) - so far so good!

(WiFi on FibreX Max)

webwat

1984 posts

Uber Geek
+1 received by user: 133

Trusted

Reply # 1694950 25-Dec-2016 21:04

One person supports this post

And here I thought it was a feature...

Qualified in business, certified in fibre, stuck in copper, have to keep going ^_^

Skillie

191 posts

Master Geek
+1 received by user: 14

Reply # 1701131 10-Jan-2017 21:15

Netgear has partnered with Bugcrowd to offer between $150 and $15,000 to researchers who find security flaws in its hardware, mobile apps, and APIs etc - see full article here http://www.tomshardware.com/news/netgear-bugcrowd-bug-bounty-program,33342.html

Is this initiative too little too late or a step in the right direction?