PSA: Power off Netgear R6400 / R7000 / R8000until new firmware released

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › PSA: Power off Netgear R6400 / R7000 / R8000until new firmware released

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#206153 12-Dec-2016 08:49

There is an unpatched vulnerability in these that allows remote command injection, and public exploit code for said vulnerability.

Full details at https://www.kb.cert.org/vuls/id/582384

Confirmed to be an issue on the R6400/R7000 models, but as per the CERT entry at least one firmware revision of the R8000 is vulnerable according to community reports and other Netgear routers may be vulnerable.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

allio

885 posts

Ultimate Geek

#1686346 12-Dec-2016 09:12

By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND

Wow. That has to be one of the biggest security holes out there.

If you're running stock firmware, may I suggest now would be a good time to try out some third-party alternatives? AdvancedTomato had an uptime of about 200 days on my R7000 until a power cut the other night.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1686349 12-Dec-2016 09:19

Scary flaw to have in there in this day and ages.

Ammazed that something so simple still stands in routers.. surely we learnt from back in the day when this first came out?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

michaelmurfy

meow
13243 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1686357 12-Dec-2016 09:47

With most of these routers flash with Advanced Tomato and be done with it. This is bad...

The likleyhood of an attack is slim however as this has to be exploited client side. With the Marai botnet doing its rounds it wouldn't surprise me if it was able to send phishing emails out hoping to get more victims. There is already this same exploit for some TP-LINK and DLINK routers with unpatched firmware (this is going back a few years).

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1686360 12-Dec-2016 09:50

michaelmurfy:

With most of these routers flash with Advanced Tomato and be done with it. This is bad...

The likleyhood of an attack is slim however as this has to be exploited client side. With the Marai botnet doing its rounds it wouldn't surprise me if it was able to send phishing emails out hoping to get more victims. There is already this same exploit for some TP-LINK and DLINK routers with unpatched firmware (this is going back a few years).

as its only over http, it's easily exploited over a iframe or js remember..

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1686396 12-Dec-2016 10:34

At the end of the day I don't see any of these manufacturers giving a damn.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1686467 12-Dec-2016 11:24

I'm not sure how many people here will be running stock firmware, but plenty of not so technical people who brought them from Noel Leemings etc will be.

trig42

5810 posts

Uber Geek

ID Verified

#1686494 12-Dec-2016 12:23

I'm running stock on an R7000.

No chance I will run anything from a website I don't know. Will look at putting the Tomato on it this weekend.

Wise

Send money globally for less with Wise - one free transfer up to NZ$900 (affiliate link).

Skillie

192 posts

Master Geek

#1686633 12-Dec-2016 18:49

trig42:

I'm running stock on an R7000.

No chance I will run anything from a website I don't know. Will look at putting the Tomato on it this weekend.

Maybe using a non-standard IP address for the router (and dhcp server) could offer some interim defense - see details here - http://routersecurity.org/ipaddresses.php

Skillie

192 posts

Master Geek

#1686642 12-Dec-2016 18:54

Computerworld has a detailed article (and how to test your router's vulnerability) here - http://www.computerworld.com/article/3148680/networking/easily-exploited-netgear-router-flaw-discovered.html

Skillie

192 posts

Master Geek

#1686645 12-Dec-2016 18:57

And a suggested 2 step temporary fix here - http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/

lNomNoml

1807 posts

Uber Geek

ID Verified

#1687840 14-Dec-2016 18:56

allio:

By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND

Wow. That has to be one of the biggest security holes out there.

If you're running stock firmware, may I suggest now would be a good time to try out some third-party alternatives? AdvancedTomato had an uptime of about 200 days on my R7000 until a power cut the other night.

Interesting, I've never put 3rd party firmware on before, will give this a try thanks.

Actually after seeing people complain about the WiFi range and speed being worse on this, I think I'll just stick with stock and just install the beta patch. :D

lNomNoml

1807 posts

Uber Geek

ID Verified

#1692078 19-Dec-2016 10:41

There are now a few production firmware fixes available for anyone interested: Linky

Skillie

192 posts

Master Geek

#1693862 22-Dec-2016 14:39

Updated all my R7000s (Router, WiFi Bridge & AP) - so far so good!

(WiFi on FibreX Max)

webwat

2036 posts

Uber Geek

Trusted

#1694950 25-Dec-2016 21:04

And here I thought it was a feature...

Time to find a new industry!

Skillie

192 posts

Master Geek

#1701131 10-Jan-2017 21:15

Netgear has partnered with Bugcrowd to offer between $150 and $15,000 to researchers who find security flaws in its hardware, mobile apps, and APIs etc - see full article here http://www.tomshardware.com/news/netgear-bugcrowd-bug-bounty-program,33342.html

Is this initiative too little too late or a step in the right direction?