Netgear Releases 'Beta' Patches For Additional Routers Found With Root Vulnerability (netgear.com) 26
The Department of Homeland Security's CERT issued a warning last week that users should "strongly consider" not using some models of NetGear routers, and the list expanded this week to include 11 different models. Netgear's now updated their web page, announcing eight "beta" fixes, along with three more "production" fixes. chicksdaddy writes:
The company said the new [beta] firmware has not been fully tested and "might not work for all users." The company offered it as a "temporary solution" to address the security hole. "Netgear is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible," the company said in a post to its online knowledgebase early Tuesday.
The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious "arbitrary command injection" vulnerability in the latest version of firmware used by a number of Netgear wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site... The vulnerability was discovered by an individual...who says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.
The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious "arbitrary command injection" vulnerability in the latest version of firmware used by a number of Netgear wireless routers. The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site... The vulnerability was discovered by an individual...who says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.
Fail (Score:2)
...says he contacted Netgear about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.
How many times...?
It's time to reinstate public hangings for this offense, IMHO.
Re: (Score:2)
Notice DNSChanger impacting 1 in 5 restaurants and tens of millions of people before they came out with a fix?
Lack of trusted options conveniently available? (Score:2)
I've been doing network security professionally for 20 years, and my primary home router is a Netgear. Your post prompted me to ask "why do *I*, knowing better, run a Netgear?
When my last router died, I didn't want to wait a week to have an OpenWRT based router from inet.com delivered. I wanted to get back online right away. I didn't want to pay for an up-to-data Cisco ASA, including additional fees for feature licenses. So like most people I went to the store and bought something available right away.
Re:Lack of trusted options conveniently available? (Score:5, Informative)
search on mcdebian for linksys wifi router.
its real debian, with apt-get update and all that. to me, its far better than openwrt.
you use a usb thumbdrive as the root fs and you flash the os bootloader to system flash.
its not well known, but maybe it should be.
Re: (Score:2)
I started with a wrt54g and DD WRT like everyone else. Then a Buffalo Networks N with factory DD WRT that died from a cracked board around the power plug. I went with a R7000 and always meant to flash DD WRT on it. I finally did. Two big issues with DD WRT on the R7000. It kills the WAP button on the router. No big deal until I realized my Cannon MG3200 printer will not/can not connect to a wireless network without WAP. DD WRT also DOES NOT support the USB3 port on the front of the router. So that is dead.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Asus has been in the news often this year on security holes in their routers. Go Google it? I purposely avoided them and bought a Linksys ac1900 which are their modern version of the WRT of last decade. It supports Tomato
Re: (Score:2)
Re: People still buy Netgear? (Score:2)
I have used a Netgear before (ISP-supplied DSL modem), but I always:
- Use a non-default subnet on the LAN where user devices reside
- Use a generic linux distribution that receives regular updates as the internet gateway (running the PPPoE session, recursive DNS and DHCP etc. from the Linux instance)
- Isolate the modem from the user devices (since it is not the gateway) if it isn't required as the AP as well
Of course, this isn't a complete solution nor one that is suitable for most end users, and costs more
Non-default network is a great idea (I do that) (Score:2)
Switching the router to use something other than 192.168.1.0 sure is easy, and will stop many attacks which hardcode 192.168.1.1. That's a great idea.
Re: (Score:2)
Well, I bought "this crap" (that is, a Netgear router) because it was a dual-band AC router, supported by my favored third-party firmware, on sale for under $60.
I didn't give a crap about any deficiencies in the native firmware because I was using my own.
Beta firmware... (Score:2)
...well at least if the firmware bricks your router, the hole will be closes... and no further data can get off your LAN onto the WAN via the fixed router...
Dave Taht (of bufferbloat fame) has a better idea (Score:2)
Netgear could improve. Improving would be easy. (Score:3)
Avast was alerting to this (Score:1)
Netgear VPN still has non-resettable keys (Score:2)
I have found Netgear to be no worse than any other consumer router manufacturer, and better than several. Many manufacturers have had similar vulnerabilities in recent years, at least they have (finally) responded, albeit under the perception that it is perhaps due to the bad press.
That said, I'm posting here to call them out for STILL not having any means to generate fresh VPN keys on their routers. If your VPN profile security was every in question there is nothing you could do about it short of buying a