Status of Netgear and the Kcode NetUSB module vulnerability

[mediatrek]

The other day I wanted to check in to see how Netgear has done with patching the Kcode NetUSB module vulnerability they were made aware of 5 months ago in April 2015. There is a support entry about the vulnerability on Netgear’s support site for you to read up on it.

Netgear said "starting in July" they would be releasing firmware patching the security vulnerability. With September half over, only 5 of the 39 affected models have been patched! Five months on since being made aware of this and not even HALF of the products have been patched?!?

STILL NOT FIXED (34):

• R6100
• R6200v1
• R6200v2
• R6220v1
• R6250
• R7000
• R7500v1
• R7900
• D3600
• D6000
• D6200
• D6200v2
• D6300
• D6400
• DEVG2020
• DGND3700v2
• DGND4000
• EX6200
• EX7000
• JNR3210
• JR6150
• LG2200D
• LG4210
• MVBR1210C
• PR2000
• WN3500RP
• WNDR3700v4
• WNDR3700v5
• WNDR4300v1
• WNDR4300v2
• WNDR4500v1
• WNDR4500v3
• WNDR4700 / WNDR4720
• XAU2511

FIXED (5):

• R6300v1
• R6300v2
• R6700
• R8000
• WNDR4500v2

 

[L&LD]

This is just one of many reasons that I do not use Netgear products anymore, nor do I recommend them to customers.

The software that runs on our equipment is more important than the hardware in the end. If the software (firmware) never gets updated (at least for security issues), the hardware is basically throw away.

 

[RogerSC]

When this first came up, I verified that this vulnerability is only in the stock firmware, not in the third-party firmware like tomato ARM or dd-wrt. I haven't looked at XVortex, but I'd be surprised to see it there, since I think that RMerlin is on top of these issues as well.

I don't use stock firmware other than as a reference (currently using Advanced Tomato on the R7000), so this isn't an issue for me.

 

[RogerSC]

This is just one of many reasons that I do not use Netgear products anymore, nor do I recommend them to customers.

The software that runs on our equipment is more important than the hardware in the end. If the software (firmware) never gets updated (at least for security issues), the hardware is basically throw away.

You know, after giving this some thought, I was remembering switching to tomato firmware for my E4200 when Linksys took too long to fix the WPS exploit that came along a few years ago. And Asus has also left stuff unfixed for long periods of time (http://www.cnet.com/news/asus-router-vulnerabilities-go-unfixed-despite-reports/). I really don't think that Netgear is alone in this one.

While this doesn't justify not fixing security vulnerabilities as soon as they are found, I think that by not using Netgear you're not going to be avoiding these problems, you'll just have a different set (maybe, some problems may be shared by different mfrs). Again, that assumes that you use stock firmware, personally I only buy routers that have third-party firmware available for them. That firmware has yet another set of vulnerabilities, but the developers for third-party firmware tend to fix things faster than the OEM's do. At least they have in the past...but, as they say, "past performance is no guarantee of future results" *smile*.

 

[L&LD]

You know, after giving this some thought, I was remembering switching to tomato firmware for my E4200 when Linksys took too long to fix the WPS exploit that came along a few years ago. And Asus has also left stuff unfixed for long periods of time (http://www.cnet.com/news/asus-router-vulnerabilities-go-unfixed-despite-reports/). I really don't think that Netgear is alone in this one.

While this doesn't justify not fixing security vulnerabilities as soon as they are found, I think that by not using Netgear you're not going to be avoiding these problems, you'll just have a different set (maybe, some problems may be shared by different mfrs). Again, that assumes that you use stock firmware, personally I only buy routers that have third-party firmware available for them. That firmware has yet another set of vulnerabilities, but the developers for third-party firmware tend to fix things faster than the OEM's do. At least they have in the past...but, as they say, "past performance is no guarantee of future results" *smile*.

Issues like your link provided are for features that I do not sell or push to my customers (or use myself).

The security issues I'm talking about are the ones that affect the router just being used as a router (i.e. it's main job). By avoiding any company that simply drops support for their latest models just a few months after being introduced (and while they are still being sold), I will be avoiding the security issues I care about.

Asus still supports models that are 3 years and older by releasing firmware with at least security updated to current standards even if the latest features cannot be used on that older hardware.

Yes, all manufacturers let things slide. But some are more blatantly offensive than others.

 

[NETGEAR Guy]

We are in the process of updating the KB note to more accurately reflect the list of devices that still require fixing. Also, for the devices mentioned, we are planning a release to resolve by early October.

This post will be updated as soon as further information is available.