Archive for Netgear

It Seems That Netgear Is Rolling Out Firmware Fixes For Their Epic Security #Fail

Posted in Commentary with tags on June 23, 2020 by itnerd

Things seem to be evolving when it comes to the over 70 Netgear routers that are affected by a remote takeover flaw. An issue that Netgear has known about since the start of the year. But didn’t seem to do anything about until the issue became public. Which is one of the reasons why I recommended that you pull the router from service and get something else.

Now, if you want to keep your Netgear router in place rather than replace it with a more secure option from another vendor, I would direct you towards this page on the Netgear support site which seems to be updated on a semi-frequent basis with new router firmware. At last count, I saw new firmware for 8 of their routers. That’s up from two from yesterday. Keep in mind that over 70 routers are affected by this issue. Thus this while showing that they are trying to do something about this epic security #fail, it’s a drop in the bucket relative to the scale of the overall problem. But having said that, if you’re router has updated firmware available, you should install that firmware now. As in right the hell now. Because I guarantee that with exploit code and scanning tools being available, the bad guys are looking for your router to do something evil to it.

I’ll also note something else. On the “Workarounds” section of this page, it says this:

Turning off Remote Management on your router or gateway web user interface significantly reduces your risk of exposure to these vulnerabilities. Remote Management on your router or gateway’s web user interface is turned off by default. If you never enabled Remote Management, you do not need to take any action to turn off Remote Management.

You’ll note the words “significantly reduces your risk of exposure to these vulnerabilities.” It doesn’t say that it eliminates the risk. Which means that even if you do what Netgear suggests, it will only make your network safer, but not safe. Which is why by the weekend, my Netgear router will be off my network and replaced by something else.

There’s another question here that needs to be answered. This story has been out there for a day or two, and you’re seeing updated firmware appear very quickly. So that implies that they could have done this in January when they became aware of this issue. Thus the question is, why didn’t they take action then? Sure they could have been working on a fix between January and now. But if that were true, it should have been released to the public between January and now. Right? The cynic in me says that Netgear wasn’t interested in fixing this until it went public. But I am free to be proven wrong by Netgear. Seeing as they read my stuff, I challenge them to provide not only an answer for this, but please tell me and my readers why you should be trusted going forward.

So how about it Netgear?

Why Netgear Doesn’t Deserve Another Chance To Get Your Hard Earned Money

Posted in Commentary with tags on June 23, 2020 by itnerd

Yesterday, I reported that Netgear has 79 different router models that are affected by a serious vulnerability that allows for the complete takeover of the router. That’s incredibly bad and far from trivial. But the thing is, we’re been here before. Netgear has a history of security issues in their products that date back many, many years. Let me cite some examples:

Now that last incident was in 2018. and I thought that Netgear had cleaned up their act. But clearly not. Netgear has clearly not learned from their past mistakes. Instead, they repeat them.

Now one thing that I didn’t report was this fact that was pointed out by a reader:

That’s right. Netgear has known about this latest issue with their routers since January of this year. It’s currently late June, and they didn’t take action until these issues were made public. So that’s a complete #fail as it appears to the casual observer that Netgear wasn’t going to take action. And that as far as I am concerned is also the final nail in the coffin.

Netgear has basically proven that they cannot produce a router that will keep you secure. This is doubly important as we are all living in the age of everyone and their dog is working for home. As far as I am concerned, they don’t deserve a cent from you. Thus if you’re affected by their latest security issues, ditch their router right now and buy another brand of router to replace it. What brand of router should you buy? Well, anything is preferable to Netgear as I am not aware of another router brand that has the scale and history of security issues that Netgear does. Thus any other brand is an improvement over Netgear. And going forward, I would not have any Netgear product on your list for any new purchases. Nor will I recommend Netgear to my clients. In fact, I will be pulling my recommendation of the R8500 because of this security fiasco.

If Netgear wants to rescue their image, they need to give a fulsome explanation in terms of how they are going to ensure that users of their products are going to be secure going forward. And they need to bring in a third party to not only audit everything from a security standpoint in that company, but to also make sure that they aren’t just talking the talk, but they are walking the walk 100% of the time. If they want a template to work from, they should look at what Zoom is doing and copy that.

To be frank, I don’t expect Netgear to do this. The fact is, if they were the least bit serious about keeping their users safe, they would have done some or all of this already. And we wouldn’t be here talking about their security issues today. Thus let me restate my recommendation. If you have Netgear equipment, ditch it ASAP. Because they simply do not deserve your hard earned money. Plain and simple.

UPDATE: Netgear has begun to roll out fixes for this fiasco. More details here.

Netgear Has 79 Router Models Out There With A Zero Day Exploit That Allows Complete Takeover Of Said Router…. Yikes!!

Posted in Commentary with tags on June 22, 2020 by itnerd

Netgear has a massive problem on its hands. There is an unpatched zero-day vulnerability exists in 79 Netgear router models that allow an attacker to take full control over vulnerable devices remotely. That makes this a non-trivial issue. Especially in this day and age as most of us are working from home. This was discovered by Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam’s VNPT ISC (through Zero Day Initiative). Now Nichols has released a detailed explanation of the vulnerability, a PoC exploit, and scripts to find vulnerable routers. Which means that the bad guys will be using these tools to launch attacks. In fact, it’s a safe bet that this is already happening

Here’s the list of routers that are affected by this exploit:

AC1450
D6220
D6300
D6400
D7000v2
D8500
DC112A
DGN2200
DGN2200v4
DGN2200M
DGND3700
EX3700
EX3800
EX3920
EX6000
EX6100
EX6120
EX6130
EX6150
EX6200
EX6920
EX7000
LG2200D
MBM621
MBR624GU
MBR1200
MBR1515
MBR1516
MBRN3000
MVBR1210C
R4500
R6200
R6200v2
R6250
R6300
R6300v2
R6400
R6400v2
R6700
R6700v3
R6900
R6900P
R7000
R7000P
R7100LG
R7300
R7850
R7900
R8000
R8300
R8500
RS400
WGR614v8
WGR614v9
WGR614v10
WGT624v4
WN2500RP
WN2500RPv2
WN3000RP
WN3100RP
WN3500RP
WNCE3001
WNDR3300
WNDR3300v2
WNDR3400
WNDR3400v2
WNDR3400v3
WNDR3700v3
WNDR4000
WNDR4500
WNDR4500v2
WNR834Bv2
WNR1000v3
WNR2000v2
WNR3500
WNR3500v2
WNR3500L
WNR3500Lv2
XR300

What’s important to note is that I can find no mitigations for this exploit. None. That’ makes this exploit really dangerous. Also, Netgear isn’t planning on patching this entire list of routers that are affected by this. Which means that if you have any of these routers, you are on your own. Which of course is not a good situation. And really reflects poorly on Netgear as they should really not only have better security for their routers, but they should make much more of an effort to better care for their customer base when security issues arise.

Given the scale of the issues, and Netgear’s response to it, I would recommend that you take immediate action by replacing your Netgear router with something other brand of router from a vendor who considers security to be top of mind. That’s what I am doing as I have an R8500 which is on the list. And you should do the same thing. This is not a trivial exploit and it requires a non-trivial response in order to ensure that you are secure.

UPDATE: Thanks for everyone who alerted me that Netgear has just sent out emails to customers. In it it has a a security advisory that details this exploit. And the fact that only TWO of their routers have fixes for this exploit. Netgear says that they will “continue to work on hotfixes for the remaining vulnerabilities and models, which we will release on a rolling basis as they become available.” Whatever that means.

They also have a mitigation for this exploit which is turning off remote management. Here’s how you do it:

  1. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter.
  2. Enter your admin user name and password and click OK. If you never changed your user name and password after setting up your router, the user name is admin and the password is password.
  3. Once you have logged in successfully, select the ADVANCED tab on the browser screen.
  4. Click on Advanced Setup
  5. Click on Remote Management.
    Note: on some products you may need to click on Web Services Management instead
  6. If the check box for Turn Remote Management On is checked, click on it so that the box is unchecked. Then click Apply to save your changes. 
  7. If the check box for Turn Remote Management On is unchecked, then click Cancel to leave the page as Remote Management is already turned off.

UPDATE #2: Netgear saw my story and sent me this this tweet:

UPDATE #3: Netgear has begun to roll out fixes for this fiasco. More details here.

Have A Netgear Router? You Might Want To Check For A Firmware Update To Avoid Pwnage

Posted in Commentary with tags on February 8, 2018 by itnerd

If you’re using a Netgear router at home, you might want to check for a firmware update because a bunch of firmware updates have been released to fix some remote access vulnerabilities.

The flaws were found by Martin Rakhmanov of Trustwave and confirmed by Netgear. Apparently 17 routers have a remote authentication bypass flaw which allows someone to reach the web based configuration interface and gain control without using a password. From there, a bad guy can pwn the network. What’s worse is that another 17 Netgear routers have a similar bug. Finally, six other models have an issue with Wi-Fi Protected Setup which when you press the WPS button opens up a two-minute window during which an attacker can potentially execute arbitrary code on the router as root over the air.

My advice for owners of Netgear routers is to check for updates and update now. That way that you can avoid pwnage now that these flaws are public.

 

 

Review: Netgear Nighthawk X8 AC5300 Tri-Band Router [UPDATE: Not Recommended]

Posted in Products with tags on December 11, 2017 by itnerd

I’ve been testing a lot of routers lately, and the latest one to end up in my test lab is the Netgear Nighthawk X8 AC5300 Tri-Band Router. This is one of Netgear’s high performance routers and it takes a really conservative approach in terms of looks:

fullsizeoutput_a57

It’s big as it takes up a lot of real estate, but it’s thin and flies under the radar unlike a lot of routers in this class. It has plenty of venting to keep it cool. It’s got four antennas that are non-removable. That might be a bit of a mistake as I’d love to know how you would replace one without having to send the whole router in for service. Oh yeah, the antennas also do this:

XXdj3Jj0QpeUg2j0czqbNw

The tips light up which will be cool to some. Other interesting features include:

MgmCzfG7TZuZb9MT%HnbwA

There are a pair of USB ports for storage via a USB hard drive, or a printer for printer sharing. But they’re behind a door which is kind of strange.

7QC%NWOgTFqekh4w2v6K7w

Lit buttons on the front are there to turn on and off the LEDs, use WPS, and enable and disable WiFi.

wJCvNBugS420D3Yulrym2w

The lights to indicate the status of Internet access and ports are on the top of the router.

fullsizeoutput_a58

You get six gigabit Ethernet ports for all your wired devices. The first two are aggregate ports (via the 802.3ad standard) for those who want extra speed from a wired device that supports this feature.

In terms of WiFi, you get one 2.4 GHz channel running at gigabit speeds, and a pair of 5 GHz channels running at 2.1 gigabits each. What’s cool is that you can take the 5 GHz channels and bond them so that you can have devices automatically float between the two so that no one channel can be overloaded. And from what I could tell, it tended to make the right decisions as to which device needs to go where.

Setting the router up is easy and so is managing it. The wizard that walks you though the setup is clear and easily understandable for all types of users. Advanced users can leverage the advanced settings to get access to all the cool stuff to make devices go faster or lock things down. If using the web based setup isn’t for you, you can use an app called the Netgear Genie app for iOS or Android that gives you the ability to do the same thing from your phone or tablet. And if the standard firmware does nothing for you, there is DD-WRT firmware that is apparently available. Another feature that is available but I didn’t test is Amazon Alexa & the Google Assistant support.

In terms of speed, I’ll simply say that Nighthawk X8 is the new speed champ as far as I am concerned. I got this result over 802.11ac within 5 feet of the router:

Screen Shot 2017-12-09 at 4.45.02 PM.png

This beats the ASUS ROG Rapture AC5300 Gaming Router which clocked a speed of 841 Mbps when I tested it on my gigabit Internet connection. Not only that, I got good coverage in my condo as I was able to get a good signal in places that most routers struggle to reach. The fact that this router supports beamforming likely helps with that. It also supports MU-MIMO to keep things speedy. Speaking of speedy, anything and everything I tossed at it could not slow it down.

What’s missing? Well, it doesn’t have the advanced and somewhat unique security features and massive levels of customization that the ASUS ROG Rapture AC500 Gaming Router has. That may bother some people as they may see those as being desirable features. But there’s enough here that it should not bother you in my opinion. Gripes? I’m not a fan of the non-removable antennas like I mentioned earlier. Other than that, I cannot think of anything to be critical of.

So, what does this all cost? Amazon Canada sells it for $299 CDN. If you look around, you may find it for less. What’s my bottom line? While the ASUS ROG Rapture AC5300 Gaming Router has more features, and I still think is the overall better value, the Netgear Nighthawk X8AC5300 Tri-Band Router is a touch faster. Seeing as it’s about $200 cheaper than the ASUS offering, if you simply want nothing but the fastest router around the Netgear is very much worth a look.

UPDATE: As fast and as feature rich as this router is. I am pulling my recommendation of this router. Or any Netgear product for that matter. The reason being that this company has had a history of security issues, and I can no longer recommend their products. You can find out about their most recent security issue here, and what I think of that here. I will also be pulling this router off of my network and transitioning to another router to ensure the security of my network.

#FAIL: New Netgear Router Firmware Collects Analytic Data BY DEFAULT

Posted in Commentary with tags on May 23, 2017 by itnerd

I am not sure what Netgear was thinking when they came up with this idea, but if you own a NightHawk R7000 router from the company and you have updated the firmware to said router in the last little while, it’s now collecting the following info by default and sending it back to Netgear:

  • Total number of devices connected to the router
  • IP address
  • MAC addresses
  • Serial number
  • Router’s running status
  • Types of connections
  • LAN/WAN status
  • Wi-Fi bands and channels
  • Technical details about the use and functioning of the router and the WiFi network

Netgear had this on its website as to why it is doing this:

Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers

Here’s the problem with that. If you want to collect data, allow one to opt into this. Forcing one to opt out should never be how this sort of thing should work as it just leaves a very bad taste in ones mouth as a result. Now if you don’t want Netgear collecting info on you, here’s how you disable this “feature”:

  • Launch a web browser from your PC or smartphone that is connected to the network.
  • Open the router login window by entering http://www.routerlogin.net.
  • Type the router username and password. If you haven’t changed the default settings, your username is admin, and password is password.
  • Select Advanced → Administration → Router Update on the Home page.
  • Scroll down to the Router Analytics Data Collection section and select the Disable button to disable router analytics data collections.
  • Click the Apply button to save your settings.

Now this “feature” is likely to come to other Netgear routers. So if you own one, you should be on the lookout for this “feature” and take action if required to protect your privacy.

#EpicFail: Netgear Loses Customer Data

Posted in Commentary with tags on April 26, 2017 by itnerd

A day after a really mind blowing bug with their router management software on macOS that they for whatever reason will not fix, Netgear has had to fess up to losing customer data that was stored on their cloud service. The Register has the details:

This week, the San Jose-based networking business sent an email to customers, seen by The Register, confirming that an “outage” affecting ReadyCLOUD, the free service for its network attached storage offering, caused the storage systems to disconnect from the cloud service and be marked as deleted at the end of March.

Compounding the issue, as part of a clean-up process, Netgear decided that when a ReadyCloud account is marked as closed, the NAS holding that account’s home folder should be deleted along with all of the data it was holding.

As one user complained to The Register: “In practice, accounts are generally deleted from the NAS admin screen by the user and a big warning flashes up to tell you that all data will be deleted. In this case, as the glitch was server side, no warning was presented and loads of people found that their home folders and data had mysteriously been deleted, by the looks of it, at the command of Netgear.”

The Reg reader got in touch to say that the outage lost all of his photographs of a trip with his 18-month-old daughter to Disneyland, and complained that despite Netgear’s claims they had identified all users, the company had not yet contacted him.

That’s a really huge screw up. After all, when a company offers a service where they store your data, they have a responsibility to protect said data. The fact that they were unable to do that in this case is appalling. Now the company claims that only 40 or 50 people lost data, but we’ll find out what the real number is when the inevitable class action lawsuit gets filed. The company is also trying to recover the data, but I think that may be futile. Which is another reason why there will be a class action lawsuit. Finally, they’ve fixed the issue that caused this, but that is cold comfort to those who lost data. Clearly this, combined with the story that I posted yesterday, not to mention their issues with their routers security from last year, seems to indicate that Netgear is a company that perhaps you might want to steer clear of.

#EpicFail: Netgear Router Software Has A Critical Bug That Affects macOS….. And They Won’t Fix It

Posted in Commentary with tags on April 25, 2017 by itnerd

I’ve become aware of a growing issue that has macOS users of Netgear products ticked off. The issue came to light on MacInTouch where a user posted that upon installing a piece of software that Netgear supplies to manage their router called Netgear Genie, this happens:

I bought a Netgear router, and noticed something strange when I installed the Netgear Genie software: the dock vanished for a moment, and when it returned, my desktop picture was reset to the Apple-supplied default. And all my desktop picture settings (e.g. random rotation of a particular folder) were wiped out.

Now that sounds trivial. But when the user investigated, he discovered that it is not trivial. Here’s why:

The explanation is simple. I can see in the Genie installer that at the end of a new or upgrade installation, it runs a script which contains this command:

Code:
rm -f ~/Library/Application\ Support/Dock/*.db && killall Dock

That’s right: the installer will blithely delete any database that is in the OS X Dock library folder.

This is a critical bug because you really should not be deleting anything in that directory. Not just because you’ll inconvenience users by resetting their dock and desktop preferences. But because of the fact that Apple might use that directory for other things in the future. Thus by installing this software to manage your Netgear router, you might hose your system.

#Fail

What’s worse is if you read through the post on MacInTouch, Netgear’s response has been shambolic. They’ve asked for irrelevant information. They’ve raised roadblocks to getting a timely resolution. And they’ve generally been unhelpful.

#EpicFail

Clearly, Netgear has dropped the ball here and either doesn’t recognize that or doesn’t care. Either way, the correct response to this is to not buy their products. Any company that has a potentially catastrophic bug and does nothing to address it doesn’t deserve your money.

Yet Another Security Flaw Found In Netgear Routers

Posted in Commentary with tags on January 31, 2017 by itnerd

Seriously, what is up with Netgear these days?

After having some serious security flaws pop up last year, comes this latest one found by researcher Simon Kenin of Trustwave. According to this post, he found that by triggering an error message, the router can be tricked into handing over a numerical code that can then be used with the password recovery tool to retrieve the router’s administrator credentials. But what is worse is that Kenin also discovered that in many cases, the numerical code is not even necessary, and that random strings sent directly to the password recovery script would still cause the login information to be displayed. From there, it’s a trivial task to pwn the router. There are 31 different Netgear router models that are affected by this flaw and Netgear advises that you update your firmware right now.

Charming.

You really have to wonder if Netgear takes the security of its products seriously. I get that any vendor can have security issues with their products. But the scale that Netgear seems to have these sorts of issues seems really high to me.

Another Serious Security Hole In Netgear Routers

Posted in Commentary with tags on December 27, 2016 by itnerd

If you own a Netgear router, you have to be wondering if you should ditch it for something else? I say that because hot off the heels of this serious security issue coming to light, though that was kind of fixed a few days later comes this:

The NETGEAR WNR2000 allows an administrator to perform a number of sensitive functions in the web interface through an apparent CGI script named apply.cgi. This script is invoked when changing Internet settings, WLAN settings, restore to factory defaults, reboot the router, etc.

However apply.cgi is not really a script, but a function that is invoked in the HTTP server (uhttpd) when it receives that string in the URL. When reverse engineering uhttpd, it was found that it also allows an unauthenticated user to perform the same sensitive admin functions if apply_noauth.cgi is invoked instead.

Some of the functions, such as rebooting the router, can be exploited straight away by an unauthenticated attacker. Other functions, such as changing Internet, WLAN settings or retrieving the administrative password, require the attacker to send a “timestamp” variable attached to the URL. This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token.

The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge.

By combining this knowledge with an information leakage, it is possible to recover the administrator password. This password is then used to enable telnet functionality in the router and obtain a root shell if the attacker is in the LAN.

Finally, a stack buffer overflow was also discovered, which combined with the apply_noauth.cgi vulnerability and the timestamp identification attack allows an unauthenticated attacker to take full control of the device and execute code remotely in the LAN and in the WAN.

Okay. Let me translate for you. The vulnerabilities described above could allow a remote attacker to execute code and take over the device without authentication. And the attack is possible on the local network and via the Internet if remote administration is turned on, which to be fair it is not by default.

That’s a pretty big #Fail on the part of Netgear. What’s worse is that according to Pedro Ribeiro, the security researcher who discovered this is Netgear’s response:

NETGEAR did not respond to any emails, so THERE IS NO FIX for these vulnerabilities.

It is recommended to replace this router with another make and model that supports OpenWRT firmware. WNR2000 v3 and v4 have OpenWRT images available, but the latest v5 is not supported yet.
Timeline of disclosure:

26.09.2016: Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.

28.10.2016: Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.

26.11.2016: Disclosed vulnerability to CERT through their web portal.

29.11.2016: Received reply from CERT. They indicated that NETGEAR does not cooperate with them, so they recommended getting CVE numbers from MITRE and releasing the vulnerability information.

            Email to MITRE requesting CVE numbers, no response.

            Email sent to NETGEAR (security@netgear.com) asking for PGP key, no response.

20.12.2016: Public disclosure.

Well, that’s an #EpicFail on the part of Netgear to not even respond to him. I bet that they’re working overtime over the holidays to come up with a fix now that this is public and a PR disaster in progress. I am saying that because Netgear pushed out this advisory four days after Ribero released this info to the public. That’s a four day head start for every hacker who wants to exploit this. Another #EpicFail for Netgear.

My advice to you is that given that this is the second major vulnerability in Netgear products that has been found in the last month, you should take Ribero’s advice and stop using Netgear’s routers until they fix this. Or better yet, stop using Netgear’s products altogether. They clearly can’t keep them secure and they don’t want to deal with issues that are brought to them by security researchers in a timely manner. Both are great reasons not to use their products in my mind.