back to article Netgear: Nothing to see here, please disperse. Just another really bad router security hole

Netgear has downplayed the significance of newly discovered flaws in its WNR2000 line of consumer routers. The vulnerabilities could hypothetically allow a remote attacker to execute code and take over the device without authentication, claims Pedro Ribeiro, the security researcher who discovered the bugs. “It is a LAN based …

  1. Anonymous Coward
    Anonymous Coward

    Forget the firmware! What we need is...

    More and more and bigger and weirdly shaped antenna sprouting from the routers like big, thick, spider legs!

    "HOLY FUCKING SHIT, DAVE! LOOK OUT! THERE'S A GIANT SPIDER IN YOUR BOOKCASE!!1!"

    *gets bat and smashes router to tiny bits*

    "It's okay, I saved you, guy."

    Dude, you just killed my router! It cost me £75 pound notes, 13p, 3 half-pence, 1.666 nicker, and .5 sterling Quid-bucks!

    "yeah, but... spider."

  2. BugabooSue
    Mushroom

    Too F***ing Late...!

    I'm done with Netgear! I bought an R7000 Netgear Nighthawk after my previous R6300 died as a result of a lightning strike. I only bought the NH in the first place because I couldn't afford a DrayTek 2860ac at the time.

    Bugger. Should have taken the hit. Should have learned my lessons regarding Netagear Long Ago!

    Got stuffed-up by Netgear over the Digital Entertainer EVA 9150 (media-server/player, roughly £260 at the time), after they pulled development despite numerous promises of "Great Things To Come." Same happened with the Netgear R6300 router I bought - they stopped trying to fix it in firmware, and brought out a new version instead. Thousands of us were left with devices that had WiFi problems. Until the recent Emergency Patch for the R7000, the previous few FW releases broke more than they fixed... So, because this was such a serious vunerability, I installed it. After I done this, every time I went into the WAN Setup page in the web-GUI - I had to power-cycle the router.

    My new DrayTek is humming away nicely now. :)

    Just done. </rant>

    To all new victims out there, vote with your wallets. Vulnerabilities and faults can happen to any vendor - how they deal with them (or don't!) is very telling.

    Happy Whatever, and have an Awesome New Year folks!!

    Susi xx

    1. paulf Silver badge
      Mushroom

      Re: Too F***ing Late...!

      Similar experience here with Netgear. I had a wireless router from them over 10 years ago. It worked fine although the final firmware update managed to completely bork the LAN routing between Ethernet ports and I had to regress it to the previous version (thank $DEITY I kept the old image!).

      I updated it with a new Netgear router in 2011 (a/b/n/ac wireless and GbE) - supposedly top of the range at £120. I bought about 6 months after release yet it was EOLd only 5 months later. The ADSL never worked properly with the production firmware build and I had to download an Engineering beta via Support to get it working "properly" (of the three versions I downloaded the second was the most reliable oddly enough) as it wasn't updated again with a production firmware to fix the myriad bugs in it - it certainly didn't get any security updates! I still don't get why the Engineering Betas were never finished off and released considering the work that must have gone into them but I guess they just lost interest when they released the v2 that did get all the bug fixes.

      The ReadyNAS duo v1 boxes I have (Sparc Powered) are still getting occasional updates despite being 6 years old which is impressive but after the router experience I won't be touching Netgear again. To have a relatively new product EOLd just months after purchase is unacceptable. My next router will hopefully be a DrayTek as I hear good things about them.

      1. BugabooSue

        Re: Too F***ing Late...!

        I have a couple of ReadyNAS Duo v1 Sparcs too, and they been bloody terrific! Still running 24/7/365 after (something like?) 5 years! And like you say, they occasionally, even now, get the odd bug/security fix. Power them down every six months, blow out the dust, and off they trot again...

        Whatever the flip has happened to Netgear? Their routers were not always the best out of the gate, but they fixed most of them (though I did find the WNR2000 to be a particular stinker! I actually smashed the cr*p out of it with a hammer after a couple of months - just for the hell of it - I felt so much better!! Yup. Replaced with a Draytek 2820n, I think...).

        "Welcome to the DrayTek Shopping Channel..." :D

        Susi xx

        1. paulf Silver badge
          Thumb Up

          Re: Too F***ing Late...!

          @BugabooSue "I have a couple of ReadyNAS Duo v1 Sparcs too, and they been bloody terrific!"

          I have four and they're bomb proof - never missed a beat and still running 24/7 all these years later. They've also got features that [IIRC] weren't included in later versions like the iTunes library and Time Machine support. I probably should have bought a larger 6/8-bay device from the outset and used RAID 5 striping as that would have been more efficient but I'll replace them when they fail and that could be some time...

          P

          PS - From the smattering of single downvotes it looks like the Netgear PR dept shill is loitering on this thread. Instead of downvoting sort out your bugs and provide firmware updates for a decent period of time after release - 5 years strikes me as reasonable.

          1. Adam JC

            Re: Too F***ing Late...!

            Maybe the downvote was due to your mentioning of RAID5...? *Shudder*

          2. John H Woods

            Re: Too F***ing Late...!

            "I probably should have bought a larger 6/8-bay device from the outset and used RAID 5" -- paulf

            Dude, no. Just no. I'd recommend 6 disks and RAIDZ2 but other sensible options are available; RAID5 is not one of them.

            1. paulf Silver badge

              Re: Too F***ing Late...!

              @Adam JC "Maybe the downvote was due to your mentioning of RAID5...? *Shudder*"

              @John H Woods "Dude, no. Just no. I'd recommend 6 disks and RAIDZ2 but other sensible options are available; RAID5 is not one of them."

              Well, "RAID whatever" is likely more efficient than the current RAID 1 mirroring that's in use. I can't complain too much as it did save me from a drive failure with no data loss, but it's not particularly efficient. The two bay ReadyNAS Duo v1 supports RAID 0 or RAID 1 so not much in the way of choice.

      2. Adam JC

        Re: Too F***ing Late...!

        Draytek kit is mustard. Some Cisco fanboi's mock the kit as being pony, but I've ran a 4-star hotel with 80 rooms and 12 VLANS off of a 2830 with absolutely no issues whatsoever. (Doing DHCP for all 12 VLANs too!) - Very capable bits of kit for the money and they keep models in service for a very sensible amount of time. Their rackmount kits are ridiculous though, you can find them much cheaper from third-parties :)

      3. macjules Silver badge
        Facepalm

        Re: Too F***ing Late...!

        Stopped using Netgear when I bought a basic model in 2010, powered it up, logged in using the standard admin/password ... and only after configuring it did I realise that I had just reconfigured my next door neighbour's brand new router instead.

    2. Gene Cash Silver badge

      Re: Too F***ing Late...!

      Yup. When I migrated away from my ISP's equipment, the most important requirement was "MUST NOT be Belkin or Neatgear!"

      They're ALL SHIT unfortunately.

      I bought a Linksys WRT1200AC which totally hosed the DHCP reservations and the local subnet prefix when the power failed.

      The solution (in addition to a small UPS) was installing LEDE.

    3. Joerg

      Re: Too F***ing Late...!

      "I'm done with Netgear! I bought an R7000 Netgear Nighthawk after my previous R6300 died as a result of a lightning strike."

      You need a proper UPS system to protect the hardware. It is not hardware manufacturers fault if you don't protect your hardware properly.

    4. Anonymous Coward
      Anonymous Coward

      Re: Too F***ing Late...!

      Until the recent Emergency Patch for the R7000, the previous few FW releases broke more than they fixed... So, because this was such a serious vunerability, I installed it. After I done this, every time I went into the WAN Setup page in the web-GUI - I had to power-cycle the router.

      Two nice things about the R7000:

      1) The hardware's very powerful for the price - even if it does look like some demented Steampunk dinosaur with four massive black spines sticking out of its back, and a line of flashing lights that wouldn't disgrace a Cylon Centurion.

      2) It's easy to replace the crap Netgear firmware with much more capable Tomato firmware. Which I did as soon as I got mine, and no problems since with regular updates.

      1. Charles 9 Silver badge

        Re: Too F***ing Late...!

        "2) It's easy to replace the crap Netgear firmware with much more capable Tomato firmware. Which I did as soon as I got mine, and no problems since with regular updates."

        I've considered it, but it seems every time I look at it, the firmware is not feature-complete, not supporting all the features in the device (which I do use). I've personally kept my firmware up to date (just did an update a few days ago), and I've yet to have any real issues with it. I've had more issues with the cable modem than with this (and most of the time, the problem was with the cable company, not the modem).

    5. FlamingDeath
      Holmes

      Re: Too F***ing Late...!

      ftp://ftp.draytek.com/Vigor2860/Firmware/v3.8.4/DrayTek_Vigor2860_V3.8.4_01_release-note.pdf

      Even Draytek makes stupid mistakes, but to be fair who here is stupid enough to enable UPnP anyhow?

      Quote from the release note above:

      "Corrected: TCP 2869 and UDP 1900 were opened on WAN, if UPnP was enabled."

      It doesn't matter which vendor you get your kit from, there is always some idiot working for them who will F things up nicely, they call it the bell curve.

      1. Kiwi Silver badge

        Re: Too F***ing Late...!

        It doesn't matter which vendor you get your kit from, there is always some idiot working for them who will F things up nicely, they call it the bell curve.

        Bell or bell-end?

        The only "curve" for some of these people should be their trajectory as they're given the boot.

    6. Jay 2

      Re: Too F***ing Late...!

      Indeed!

      I used to only use Netgear kit for many years until I decided to replace my ageing (but mainly trusty) DG834Gv4 with a D6200 and DGND4000 in quick succession. Both were hampered by the same issue where WiFi would stop working (or at least DHCP wasn't playing ball). During all that I talked to Netgear support, for what it was worth, who then told me it was a known problem, that could be fixed by some firmware... which turned out to be US-only, so being in the UK that was out. The same support bod then said, in more-or-less the same breath, I should return the router for an RMA as what they'd just described as a problem was suddenly an "isolated issue". I ended up with a Linksys X3500, which is horrible to use and also had some problems.

      Before all that, all Negear kit was fine. Like some other commenters I had a ReadyNASv1 (SPARC) which was great. My brother had a v2 which was crappy and dumbed-down by comparison. Eventually I swapped that for a Synology DG214+ for significantly better features.

      Next time I'll think about getting something that takes one of the WRT varients...

    7. asdf Silver badge

      the key with netgear

      Probably will even avoid netgear hardware for my next router but honestly I have nothing but good things to say about my current WNDR3700v2. Of course that is one of the best routers for putting open source firmware on which is why I bought it and should be any IT's person first question before buying a router. Netgear software is garbage fit only for existing long enough after purchase to allow putting real firmware on it.

  3. The Blacksmith
    FAIL

    Since we're kicking Netgear

    Their code is getting crappier and crappier. On the WNR2000v5 they can no longer handle NAT and internal routing. Something they had in previous models. So, if you have an internal network with multiple subnets the NAT only works on the local net, all the other subnets are not NATted at all. Of course, the documentation doesn't mention this limitation, although it claims the router supports NAT and networks.

    1. BugabooSue
      Pint

      Re: Since we're kicking Netgear

      @The Blacksmith

      I just posted about the WNR2000 being a "Stinker". Seems I was not the only one to get saddled with one of these POS routers. Sadly.

      Have a beer on me!

      Susi xx

      1. Anonymous Coward
        Anonymous Coward

        Re: Since we're kicking Netgear

        I got one thinking at least it's a common model that supports alternative firmware. Nope. Not v5.

        Something about a particular bootloader used in v5 and a bunch of newer routers. Maybe they'll sort that now that the spat between OpenWRT and LEDE is supposedly over. Not to mention that these routers are in dire need of an open-source fix.

    2. bombastic bob Silver badge
      FAIL

      Re: Since we're kicking Netgear

      some of the gripes I've had over Netgear in the past, are their ridiculous wifi G solutions with multiple antennae. OK I worked for an antenna company that helped to produce the Siemens SE568, which did REAL antenna steering for 2.4Ghz G wifi back in the day, but I still remember all of the crap performance that was MEASURED by the techs at Airgain, which slapped in the face of Netgear's ridiculous claims. They even claimed 'MIMO' for their "solution", before the pre-N spec even. what a crock! And I never liked the way their cardbus software worked on windows boxen. It was always a bit of a pain to set up a netgear client on a windows laptop, and their access point configuration wasn't much better [as I recall].

      One of the Netgear devices (from the late noughties) actually sent most of the signal STRAIGHT UP, due to its overall shape. Antenna pattern basically STANK. And that was MEASURED in an anechoic antenna chamber designed specifically to measure radiation patterns. It looked like an oversized chip clip. Yeah, THAT one.

      Some of the easiest things to set up: DLink. Linksys installs their crapware and it "takes over" too much. Netgear is difficult to work with, and doesn't [or didn't] play well with others [i.e. don't install another Atheros-based card in the computer, or driver conflict may ensue]. Admittedly, however, if you didn't use THEIR DRIVERS you'd be ok [and that includes Linux or FreeBSD].

      But the DLink was usually one of the easier ones to deal with. /me has an older DLink wifi router that I bought for cheap online and it's still working. Has its bugs but they've been dealt with. If it angers me, at some point I'll just put OpenWRT on it or something.

      1. Matt Bryant Silver badge
        Devil

        Re: bombastic bob Re: Since we're kicking Netgear

        "....Netgear....DLink....Linksys...." Well, the best way to avoid the problems of consumer networking gear is simply to avoid consumer networking gear. Standard MO for consultant project teams - setup project office, insist on quality WiFi router bought out of the operating budget (with lifetime professional support), complete budget, then quietly take the quality unit home. I've lost count of the number of contractors' home offices I've seen with "acquired" 3Com, HP or CISCO routers. And printers, scanners, etc. True, the big boys of networking do screw up every now and again (CISCO Catalysts and the dreaded Ping Of Death spring to mind!), but you can usually count on their support delivering a fix pretty quickly and for long after a consumer vendor would drop support for a product.

    3. PTCruiserGT

      Re: Since we're kicking Netgear

      I'm not sure how Netgear never got in trouble for using OpenWRT, adding their vulns to it, then not contributing their changes back. Which is probably also why there's no OpenWRT or LEDE release for the WNR2000v5.

    4. Mark 65

      Re: Since we're kicking Netgear

      I always thought you bought Netgear because it's normally easy to replace the firmware with Tomato/Open-wrt/Gargoyle etc.

  4. W. Anderson

    tech retailers just as dense as consumers on this Netgear security issue

    The very sad and sick aspect of this Netgear Router firmware fiasco is that at least 2 large technology retailers in my area of Northern New jersey, USA, one Staples and the other a Bestbuy sneered when I showed them the CERT warning just after public disclosure, one totally ignorant of the issue, and the other indicating that they were aware, but since their corporate or distribution center had sent no action update, they would continue to sell the 3 or more affected Netgear routers, without even warning purchasers of probable critical firmware upgrade requirement soon thereafter

    There is no wonder that it is neigh impossible to thwart Cyber intrusions in USA when technology sales companies and consumers are blaze and a bit dense about using common sense and prudence in addressing technology security issues.

    1. This post has been deleted by its author

  5. MondoMan

    Been like this for more than a decade

    As with other commenters here, I swore off Netgear over a decade ago. Not only was their firmware buggy, but they clearly had decided not to invest much time or effort on updating/fixing firmware, even on so-called "business-class" products. The only Netgear items I keep around are their unmanaged ethernet hubs/switches, because they're dirt cheap and don't have any user-changeable firmware.

    1. Joerg

      Re: Been like this for more than a decade

      Don't spread lies.

      Although some Netgear products don't get regular firmware updates as they should (the WN203v2 AP comes to mind) many other are continously updated both consumer class and business class.

      The SRX5308 VPN got many firmware updates and they improved performance fixing bugs while they lied on the FVS336Gv2 that has WAN bandwidth issues (ISP connection above 35Mbps just don't work, a 50Mbps connection or higher is slowed down due to WAN ports issues) and the firmware updates don't fix anything and they refuse to replace it with the FVS336Gv3 with which they resolved the WAN ports bandwidth issues at the hardware level.

      So some with some products they do the right thing while with others the managers need to get fired.

  6. Anonymous Coward
    Trollface

    It's not a bug, it's a feature!

    What has happened here is that someone accidentally discovered the NSA backdoor. That's right: this was an intended feature to be used by the NSA, probably thought off by some government drone.

    Surely you can't blame them for overlooking the possibility that others might attempt to use it as well? ;)

  7. Marky

    Firmware from Netgear? :‑J

    I didn't know Netgear did firmware. Neither of my past Netgear routers ever received a firmware update, despite me checking regularly. That must cover 13 years at least. Oh and the latest one when sending out emails always show up with a datestamp of 1/1/1970. What hope is there? :‑J

    1. Charles 9 Silver badge

      Re: Firmware from Netgear? :‑J

      Odd. I just got one for my R7000 this Tuesday (an R7000 which I've noted hasn't really changed its price in the two years since it was introduced, meaning it's still in high demand). If this is the same company, then it's suffering a split personality here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019