HUGE exploit in Netgear Nighthawk and other routers, accessed by browsing the web

[Marty Chinn]

I know this got posted yesterday but with only one reply, it seems to have gone unnoticed so I'm posting it again with hopefully a better eye catching title since it's a huge backdoor. I know the Netgear Nighthawk R7000 is a widely used router around here and is often recommended and it's one of the affected ones.

Andrew Rollins, a security researcher who also goes by Acew0rm, notified Netgear about the flaw on August 25, but says that the company never responded to him. After waiting more than three months, he went public with the vulnerability, and the Department of Homeland Security’s CERT group released an advisory about it on Friday. Its advice? Pull the plug.

“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available,” the CERT notice said. The flaw allows unauthenticated web pages to access the command-line and then execute malicious commands, which could lead to total system takeover.

After initially saying over the weekend that three products “might be vulnerable,” Netgear now confirms that eight of its router models (R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000) are affected, including three of the five most popular routers on Amazon. Netgear also declined to comment on why it’s taking so long to release a production-grade firmware update.”We strive to earn and maintain the trust of those that use Netgear products for their connectivity,” the company said in a statement.

https://www.wired.com/2016/12/ton-popular-netgear-routers-exposed-no-easy-fix/

Here's the link to the beta patched firmware.

http://kb.netgear.com/000036386/CVE-2016-582384

Here's also the link to the original thread which went unnoticed:

http://www.neogaf.com/forum/showthread.php?t=1324951

 

[smokeandmirrors]

Netgear have known about this for 4 FUCKING MONTHS and havent done anything?!?!

good lord.

 

[Amagon]

Good job Netgear!

 

[rrs]

Netgear have known about this for 4 FUCKING MONTHS and havent done anything?!?!

good lord.

patches cost money, staying quiet is cheaper

Spoiler

or nsa backdoor lol

 

[rawd]

Glad I've had ddwrt on mine since day juan.

 

[Timedog]

There's about a zero percent chance that this was only found a few months ago for the first time.

 

[nelchaar]

Damn, and I just downgraded to 1.04.30 to fix awful problems with my 2.4GHZ that came with a recent patch.

 

[Corsick]

What do I do after unplugging. Get a refund or wait for a new update to firmware?

 

[TheLegendary]

Time to finally move to ddwrt

 

[exmachina64]

What do I do after unplugging. Get a refund or wait for a new update to firmware?

Buy a new router.

 

[WorldStar]

Why can't routers automatically patch themselves?

 

[99Luffy]

Their response is terrible. Thats enough to stop me from ever buying a netgear product.

 

[xxracerxx]

*pats Archer router*

Almost went with a Nighthawk.

 

[WorldStar]

*pats Archer router*

Almost went with a Nighthawk.

Ditto

Almost went with Nighthawk, went with Archer C5400

Couldn't be happier

 

[newshinycd]

Ha. I bought a new router last year, and I got some shit from coworkers because I went with an Asus router instead of Nighthawk.
Looks like they'll be eating crow tonight.

 

[WorldStar]

Ha. I bought a new router last year, and I got some shit from coworkers because I went with an Asus router instead of Nighthawk.
Looks like they'll be eating crow tonight.

The nighthawk is generally considered one of the best routers out there

Which is why this is so surprising

 

[Afrodium]

What the fuck I just bought one of these. Guess I'm installing dd-wrt tonight.

 

[Darth Pinche]

So happy I went with an Asus recently. But i almost got the Nighthawk

 

[darkwing]

that is why I choose Asus

 

[Audioboxer]

Terrible response time from Netgear Just updated my R7000. I use it for wireless (piggybacks off another modem for connecting to Sky) and because I have a 5TB hard drive attached for media.

 

[onadesertedisland]

So is this a backdoor or an NSA thing?

 

[Slayven]

Man almost brought a Netgear last week.

 

[rrs]

Why can't routers automatically patch themselves?

one: patch isn't out yet
two: there's no handoff, and I don't think you really want to lose your internet at x time for y seconds for an update

 

[Magnus]

Damn it, ours is the R7000. My boyfriend paid a buttload for that router too.

How serious is this really? Like, do I need to actually unplug and stop using the thing today?

 

[Gurgelhals]

There's a reason why people should either use these things with some third-party open source firmware such as DD-WRT or switch over to prosumer-grade stuff such as Ubiquiti altogether.

A router is usually sitting at what is by far the most vulnerable spot of every home network. This fact alone should make you not want to run them on your run-of-the-mill consumer-grade software where keeping development costs as low as possible always trumps concerns about security and stability.

 

[pestul]

Okay, so the survey company I do tech support for uses the R6300.. it's not on the list of effected routers, but I don't trust them.

 

[RS4-]

Is it one of the best because of these backdoors

Almost bought one last year, got the Archer instead.

 

[Marty Chinn]

Damn it, ours is the R7000. My boyfriend paid a buttload for that router too.

How serious is this really? Like, do I need to actually unplug and stop using the thing today?

Get the beta patched firmware. The link is in the OP.

 

[Electric Eye]

Netgear have known about this for 4 FUCKING MONTHS and havent done anything?!?!

good lord.

Actually they did inform customers who registered their hardware online, I got the email about the time it was discovered along with a link to the fix.

 

[Peter Ian Staker]

Thank god I skipped the Nighthawk and went for a TP-Link Archer VR900 when I got my new router.

 

[-griffy-]

I've got the R7500, so it sounds like that one isn't affected?

 

[Syriel]

So is this a backdoor or an NSA thing?

This is more of an engineering oops thing. There's no reason the web server should be running commands as an admin like that.

Damn it, ours is the R7000. My boyfriend paid a buttload for that router too.

How serious is this really? Like, do I need to actually unplug and stop using the thing today?

Anyone on your network can run any CLI commands they choose on the router.

 

[TheChewyWaffles]

Crap I have two of these

Edit: nm I have an 8500. Hurray

 

[djplaeskool]

Fuuuu I got an R6400 a while back that's been great so far.
Shit.

 

[ngower]

Aw shit, now I have to patch this for my mom from 1000 miles away.

 

[TwoDurans]

Wait, wait, wait. People own Netgear routers and don't use dd-wrt?

 

[Belker]

I had no idea this was a problem. Thanks for sharing the info. I've updated my router with the beta patch and tweeted a link to the article.

 

[kamakazi5]

Wait, wait, wait. People own Netgear routers and don't use dd-wrt?

This is the first I've heard of it but I will definitely use it now.

 

[Dr. Zoidberg]

Well shit. I've been very happy with my R7000 since I've had it. My co-worker got the oft-recommended ASUS and has had a lot of problems. I guess it's my turn now. I'll install the beta firmware tonight. I've dealt with DD-WRT before and liked it, so that's another possibility.

 

[ViciousDS]

what if I use XWRT?


haven't used the stock firmware till the last few months

 

[Orbis]

Wait, wait, wait. People own Netgear routers and don't use dd-wrt?

I'd imagine 95% of their customers have never heard of dd-wrt.

 

[Xeroblade]

Will the beta firmware actually fix this? or should I actually be using dd-wrt?

 

[Rebel Leader]

why should people use dd-wrt?

 

[marc^o^]

How would any hacker know one has such a router?

 

[xxracerxx]

Ditto

Almost went with Nighthawk, went with Archer C5400

Couldn't be happier

I could not be more pleased with the C5400...it is a beast of a router.

 

[Marty Chinn]

How would any hacker know one has such a router?

They wouldn't. They gain access by you going to a website. When you connect to that website, it can then send commands via that exploit to your router and gain access. So they don't come to you, you go to them without realizing it because all you did was browse the web.

 

[tim.mbp]

Guess I'll try out dd-wrt on my R6400 later tonight.

 

[CDX]

People have a router capable of putting DD-WRT, Tomato, or Open-WRT or some other firmware on it, BUT they just keep the manufactures firmware on it?

I find that odd, because It seems like in my circle of friends, nearly everybody has one of those firmwares listed above on their router.

But I guess now that I think about it, it shouldn't be odd that most will just stick with whatever firmware the manufacturer gives them. That's probably what the vast majority do.

 

[djplaeskool]

Had some issues with Open-WRT last month and reverted to manufacture.
Will probably make DD-WRT install a weekend project.

 

[jstripes]

People have a router capable of putting DD-WRT, Tomato, or Open-WRT or some other firmware on it, BUT they just keep the manufactures firmware on it?

I find that odd, because It seems like in my circle of friends, nearly everybody has one of those firmwares listed above on their router.

But I guess now that I think about it, it shouldn't be odd that most will just stick with whatever firmware the manufacturer gives them. That's probably what the vast majority do.

Does your circle of friends happen to be tech savvy?

Most people don't even know you can update the manufacturer's firmware.