back to article US-CERT's top tip: Hack your crap Netgear router before miscreants arrive

Owners of three models of Netgear routers are being advised to exploit a security hole in their broadband boxes to, er, temporarily close said hole. The alternative is to switch off the boxes until a firmware update lands. Netgear says that the R6400, R7000, and R8000 series routers are all vulnerable to CVE-2016-582384, a …

  1. redpawn Silver badge

    3rd Party Firmware

    If you can run DD-WRT, Tomato Shibby or any other 3rd party firmware I'd give it a try. Most of them are free. You may be happier than with the perpetually insecure software served up router manufacturers. I've been running 3rd party firmware for years and have no plans to go back. On my router 3rd party firmware is more stable than what came from Linksys. 3rd party software gives you more options to tweak your settings and sometimes additional functionality. You can even compile your own. Good luck.

    1. Swarthy Silver badge

      Re: 3rd Party Firmware

      Have an upvote for Tomato. That lovely piece of software has seriously improved (and extended the useful life of) an old router of mine.

      1. Ole Juul

        Re: 3rd Party Firmware

        Tomato Shibby here. I've had a lot of routers and I've rarely even looked at whatever was originally installed on them. Why take a chance with written-for-profit proprietary software when there are perfectly good solutions already?

        That said, most users are not going to be aware that there are better solutions or how to implement then. My theory is that they believe that the vendor knows best, and that is rarely the case with consumer routers.

  2. tr1ck5t3r

    " you simply have to trick someone on the router's local network into opening a booby-trapped webpage."

    Any old search engine result may work, if not use the offsite advertising network to deliver it instead.

    Easy peasy..... Now who has that sort of control or over sight of such things?

    Some will be Govt entities and other's will be big businesses.

    Whose the loser's in all this? The little people as usual and lots of you work for them, brings a whole new perspective to the work life balance when you think about it!

    1. gnarlymarley

      " you simply have to trick someone on the router's local network into opening a booby-trapped webpage."

      Or, if they are running IPv6 and didn't realize there is a private address range, they might have their router on a public IP. That probably also means they are not bright enough to block http requests at the firewall, if they even have a firewall.

  3. Stuart Halliday

    Reminds me of the original PET 2001 power supply Poke bug. Proudly printed in the PCW magazine in the Eighties so that eager young programmers could try out to mangle the £700 machine in shops throughout the UK.

    Nothing really changes...

    1. Unicornpiss Silver badge
      Pint

      PET bug..

      Actually it was the 40xx and 80xx series Commodore computers that were susceptible, and the bug was with the CRT controller chip. A poke to a location (59458 if I remember right) would speed up 2001-series PETs by altering the refresh rate (to simplify), but in later models, it would put tremendous strain on the video circuitry and eventually let the magic smoke out.

      1. kain preacher Silver badge

        Re: PET bug..

        What he is talking about is you could short the 5v line be issuing a poke command

  4. Walter Bishop Silver badge
    Linux

    Authentication failed

    Authentication failed .. You need to supply a valid user name and password.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Authentication failed

      You probably don't have a vulnerable device.

      C.

    2. Anonymous Coward
      Anonymous Coward

      Re: Authentication failed

      On my R7000 I just got a page not found error after running the "fix". After that both the web interface and the ipad app stopped working.

      1. misterinformed

        Re: Authentication failed

        The command you ran was intended to disable the web interface, so the "page not found" error is to be expected. When Netgear release the fixed firmware, you will have to switch your router off and on again to get the web interface running so you can install it.

      2. Vic

        Re: Authentication failed

        On my R7000 I just got a page not found error after running the "fix"

        Good.

        Vic.

  5. Potemkine Silver badge
    Mushroom

    Put PR at stake

    "We appreciate and value having security concerns brought to our attention"

    "We're told Ace warned Netgear about this issue months ago but seemingly nothing was done about it."

    Bloody bastards!

    1. Paul Crawford Silver badge

      Re: Put PR at stake

      Welcome to the world of shitware, when every device you buy from $SUPPLIER comes with half-arsed software and bugger-all updates even months after the manufacturer has been told (probably twice, 2nd time in crayon and big pictures) of how crap they are.

    2. Anonymous Coward
      Anonymous Coward

      Re: Put PR at stake

      Oh, and "Being pro-active rather than re-active to emerging security issues is fundamental for product support at Netgear."

      Blah, blah, blah, customers first PR, blah, blah. I suppose in their defence, as something from the 90's this is not an emerging security issue and therefore it's OK to be reactive.

      1. LondonGull

        Re: Put PR at stake

        Well this is the same netgear that "upgraded" their extenders by forcing you to login in with an email address and snarfing your password, so when you forget your password they can send it back to you as cleartext. Waiting for the inevitable breach...

  6. DougS Silver badge
    WTF?

    Wow, that exploit is a throwback

    I thought passing a semicolon to cgi-bin had jumped the shark by 1997! Kudos to Netgear for bringing back a classic!

  7. Destroy All Monsters Silver badge
    Holmes

    They are running the webserver as root?

    ...and running a Little Bobby Tables script on it?

    Well done.

    1. Paul Crawford Silver badge

      Re: They are running the webserver as root?

      Indeed, the 1990s called and want their security blunders back...

  8. Wolfclaw Silver badge

    Should be made compulsory for all consumer products that have an internet connection to go through a paid security audit to ensure nothing as stupid as this can happen. Manufacturers will soon get their act together when a product fails and they have to pay again to get verified.

    1. Version 1.0 Silver badge

      Good idea, although I suspect that it will not make a huge difference - we'll simply get a better, more subtle, class of vulnerability. But that would be an improvement.

    2. Unicornpiss Silver badge
      Pint

      Really not a bad idea at all..

      In the US, it could be part of the Underwriters Laboratories testing that ensures the device won't burn your house down, lop your arm off, or render your dog infertile. Reasonable assurance against identity theft and having your device used for possibly nefarious means sounds like it should be included, especially for the IOT. Of course it can take years for a lot of these bugs to be discovered, but a little testing by some white hats would certainly help.

    3. Bucky 2

      Compulsory Security Audit

      It needn't be mandatory. All you'd really need would be a "premium" device from some manufacturer somewhere that had this kind of audit done. It would cost extra, of course. Perhaps a lot extra.

      You just need market demand.

      If there weren't a demand for such a thing, then what you'd have are stores filled with cheaper, "home" routers pressed out of plastic, rushed to market on a shoestring, with few to no software updates as vulnerabilities became known.

      Oh. Wait.

  9. Anonymous Coward
    Anonymous Coward

    Even now, they can still surprise me

    We found a corker of a vulnerability on the SRX5308 a while back but even I'm struggling to believe they've managed a whole new level of fail. The one we found had already been fixed though I strongly suspect this was by accident. They'd replaced much of the software stack but the vulnerable script was still there, just unused.

    Even without vulnerabilities, they're just rubbish. We've since switched to pfSense. I did try to install OpenWRT on an SRX5308 to make them useful instead of throwing them under a bus but I haven't been able to get Ethernet to work reliably. I may have another crack at it sometime.

  10. Pyrofer

    It was nice timing for seeing this. I was in the market for a router to replace the ISP supplied PoS and was browsing expensive Netgear routers on Amazon when I read the original news about this.

    As a result I now have ordered a MikroTik router that seems to be better spec than the Netgear and cost less. I will probably never buy another Netgear again either.

    I wonder just how much being lazy with a patch has cost Netgear both directly and indirectly? Do you think the guy who caused said delays thinks it's worth it now?

    1. Fatman Silver badge
      Joke

      Priorities

      <quote>Do you think the guy who caused said delays thinks it's worth it now?</quote>

      Nope!!!

      He probably does not even give a shit, as he has done his best to increase shareholder value, by keeping development costs low.

  11. David Roberts Silver badge
    Joke

    Typical Microsoft

    Running crap insecure W10.

    Ditch it and run Linux; you know it makes sense!

    Oh, wait....

    .....I seem to be in the wrong thread.....

  12. Anonymous Coward
    Anonymous Coward

    Another possible work-around

    Another possible work-around, change the port number used for local administration of the router. Not sure, however, if this is supported on the vulnerable routers. Like changing the router local IP address, it is security by obscurity. For more, see

    http://www.computerworld.com/article/3148680/networking/easily-exploited-netgear-router-flaw-discovered.html

  13. Anonymous Coward
    Flame

    Open hardware, quickly becoming a requirement for this little black duck…

    The more I read about unpatched crap from fire-and-forget vendors that think once the device hits the manufacturing line it's time to move onto the next product and forget about supporting what they already produce… the more I think that in future, it'll be a personal requirement that the device is shipped with suitable documentation and firmware.

    The reason for this is simple.

    I, as a home network operator, am responsible for the emissions my network produces.

    If a HTTP GET request for a JPEG with kiddie pr0n is seen from my ADSL connection, is it the vendors of the various devices that gets the blame? No, it's me, and then it's up to me to investigate how that HTTP GET request came to originate from my connection.

    If a wireless router starts emitting crap out-of-band… is it the router manufacturer that takes responsibility? No, the ACMA will be knocking on my door first. I then have to play a game of unplug-until-the-noise-stops to find out the culprit.

    It is high time that, if we are as end users to carry this RESPONSIBILITY, we should be given the RIGHT to audit. That includes being able to FREELY ACCESS the firmware source code, device schematics and other supporting documentation, and FREELY DISTRIBUTE such items to third parties for the purpose of audit and analysis.

    The day of the proprietary black box is over.

  14. misterinformed

    Some of the firmware updates (inculding R6400, R7000 and R8000) are now out of beta. The web interface of my R6400 showed a notification about the update. After installing, testing with the 'killall' URL led to a login prompt and, even after I authenticated, it still didn't execute the killall so the fix looks good.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019