Critical Netgear Bug Impacts Flagship Nighthawk Router

[pege63]

Have you all see this one?
Dozens of routers are patched by Netgear as it snuffs out critical, high and medium severity flaws.

Read it all at https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/

 

[thiggins]

This appears to be old news about KRACK vulnerability. Here's the NETGEAR post:
https://kb.netgear.com/000049498/Se...2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836

I think this popped back into the news because the R6700v3 was added to the advisory on 3/2/20. The advisory edit history says it was first posted 2017-10-16.

 

[pege63]

But its from yesterday 4 Mars 2020 and its say,
The critical vulnerability, tracked by Netgear as PSV-2019-0076, affects the company’s consumer Nighthawk X4S Smart Wi-Fi Router (R7800) first introduced in 2016 and still available today.

The same high-severity command injection flaw (PSV-2018-0352) also exists in 29 other router models within the D6000, R6000, R7000, R8000, R9000 and XR500 family of Netgear hardware. Brands include 20 SKUs of the Wireless AC Router.

They did not have XR500 or the SKU 20 then.

All the links to Netgear pages refer to updated pages from 3 Mars 2020 https://kb.netgear.com/000061741/Se...mmand-Injection-on-Some-Routers-PSV-2019-0051

 

[thiggins]

@pege63 Yes, you are correct. I didn't read carefully enough. Thanks for the post.

 

[Voxel]

As far as I understand they (NG) mean in their PSV:

1. Lack of security: keeping passwords in NVRAM in plaint text form (fixed in 1.0.2.62)
2. CVE-2019-11477. CVE-2019-11478, CVE-2019-11479 (fixed in 1.0.2.68)

Nothing new for me, sorry.

"1." fix is available since 1.0.2.63SF in my build (Jan 2019)

"2." fix is available since 1.0.2.68SF in my build (summer 2019).

Also "1." and "2." are fixed for R9000/R8900, stock firmware (I know that, "2" is fixed in 1.0.5.2 as far as I remember) but both are not fixed for Orbi still in the stock firmware ("2." most gangrenous is fixed in my version for Orbi).

Voxel.

 

[Voxel]

And this alarm is a bit funny for me (not your alarm @pege63 of course please do not feel any offences, but alarm from NG). For example NG is using OpenSSL 1.0.2h in their latest 1.0.2.68 firmware for R7800. This OpenSSL is used e.g. for ReadyCLOUD, https to router GUI, OpenVPN server etc. And what? I can see after 1.0.2h release:

CVE-2016-7052
(fixed in 1.0.2i)

CVE-2017-3731
CVE-2017-3732
CVE-2016-7055
(fixed in 1.0.2j)

CVE-2017-3736
CVE-2017-3735
(fixed in 1.0.2l)

CVE-2017-3737
CVE-2017-3738
(fixed in 1.0.2m)

CVE-2018-0739
(fixed in 1.0.2n)

CVE-2018-0732
CVE-2018-0737
(fixed in 1.0.2o)

CVE-2018-5407
CVE-2018-0734
(fixed in 1.0.2p)

CVE-2019-1559
(fixed in 1.0.2q)

CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
(fixed in 1.0.2t)

CVE-2019-1551
(fixed in 1.0.2u)

https://www.openssl.org/news/openssl-1.0.2-notes.html

And do not forget that 1.0.2 version is not supported anymore since 31 Dec of 2019. Now 1.1.1x...

Well. OpenVPN. 1.0.2.68 from NG uses the version 2.4.5. At least CVE-2018-9336...

Etc, etc, etc...
Ha-ha...

Dozens of routers are patched by Netgear as it snuffs out critical, high and medium severity flaws

Voxel.

 

[pege63]

And this alarm is a bit funny for me (not your alarm @pege63 of course please do not feel any offences, but alarm from NG). For example NG is using OpenSSL 1.0.2h in their latest 1.0.2.68 firmware for R7800. This OpenSSL is used e.g. for ReadyCLOUD, https to router GUI, OpenVPN server etc.

Voxel.

Yes that was why I went out with this, what NG does is to mislead people unnecessarily and make them insecure.
Especially when you assume that it is from 2020 3 March and on almost all models, such the AC and AX.

 

[blunderdome]

As far as I understand they (NG) mean in their PSV:

1. Lack of security: keeping passwords in NVRAM in plaint text form (fixed in 1.0.2.62)
2. CVE-2019-11477. CVE-2019-11478, CVE-2019-11479 (fixed in 1.0.2.68)

Nothing new for me, sorry.

"1." fix is available since 1.0.2.63SF in my build (Jan 2019)

"2." fix is available since 1.0.2.68SF in my build (summer 2019).

Also "1." and "2." are fixed for R9000/R8900, stock firmware (I know that, "2" is fixed in 1.0.5.2 as far as I remember) but both are not fixed for Orbi still in the stock firmware ("2." most gangrenous is fixed in my version for Orbi).

Voxel.

Hey Voxel - thanks for all your work! I'm running .72 of your firmware on a R7800 and it's been rock solid since install. Am I good then or I'm looking at having to revert to stock for a bit to make sure I'm patched?

Thanks again!

 

[NetBytes]

Hey Voxel - thanks for all your work! I'm running .72 of your firmware on a R7800 and it's been rock solid since install. Am I good then or I'm looking at having to revert to stock for a bit to make sure I'm patched?

Thanks again!

I am also on .72 and from what I read above, Voxel says the necessary patches have been in since .68.
I can't ever imagine going back to stock.

 

[Voxel]

Hey Voxel - thanks for all your work! I'm running .72 of your firmware on a R7800 and it's been rock solid since install. Am I good then or I'm looking at having to revert to stock for a bit to make sure I'm patched?

Thanks again!

I prefer to use my builds . I think they are more safe vs stock.

Voxel.

 

[Voxel]

Yes that was why I went out with this, what NG does is to mislead people unnecessarily and make them insecure.

So your R7800 is not used anymore? Sad... You are my first user from SNB community...

Voxel.

 

[pege63]

So your R7800 is not used anymore? Sad... You are my first user from SNB community...

Voxel.

No am still using my R7800 and like all your FW so far, don't worry about that Voxel I am no1 fan of yours.
I just meant when NG goes out with a change like they now made on the 3 Mars 2020 on there forum, it make people insecure on wath they do in there when changin the date like they did now.

 

[kokishin]

As far as I understand they (NG) mean in their PSV:

1. Lack of security: keeping passwords in NVRAM in plaint text form (fixed in 1.0.2.62)
2. CVE-2019-11477. CVE-2019-11478, CVE-2019-11479 (fixed in 1.0.2.68)

Nothing new for me, sorry.

"1." fix is available since 1.0.2.63SF in my build (Jan 2019)

"2." fix is available since 1.0.2.68SF in my build (summer 2019).

Also "1." and "2." are fixed for R9000/R8900, stock firmware (I know that, "2" is fixed in 1.0.5.2 as far as I remember) but both are not fixed for Orbi still in the stock firmware ("2." most gangrenous is fixed in my version for Orbi).

Voxel.

Thank God for Voxel and his firmware.

I've been running Voxel firmware from mid Dec 2018 when I purchased my 7800 at Frys.

I had done my research prior to purchase.

So I performed the initial boot up with the crappy NG firmware and immediately installed 1.0.2.62SF (and held my breath).

Today I breathe easy because my 7800 just works without a fuss thanks to Voxel.

 

[Razor512]

R7800 continues to be awesome because of Voxel's support.

It has been the most stable consumer level router that I have ever used.