Skip to main content

Netgear Responds to Critical Vulnerabilities With Beta Router Firmware Updates (Updated)

(Update 12/20/16 at 9:53am PT: Netgear told Tom's Hardware in an email that it plans to release "final firmware for all of the affected routers" today. The company also updated its security advisory with additional information about what routers are affected and for what routers firmware updates are now available. Anyone who owns a Netgear router should check the company's website to see if they need to update the device's firmware.)

Netgear announced that it has released beta firmware updates for routers with critical security vulnerabilities. The company also said the problem was more far-reaching than expected, and that a security researcher's warning about the issue from August slipped through its reporting system's cracks.

The security issue could have allowed anyone to completely take over affected routers with a malicious website or advertisement. At first, the problem was thought to be present only in R6400 and R7000 routers; then it expanded to include R8000; and now, Netgear has added other models to the list. As the company discovers more products affected by this vulnerability, at least, it's also swiftly releasing firmware updates to improve their security.

"Acew0rm" on Twitter discovered the security problem in August. They said that they emailed Netgear about the vulnerability but never received a response. The company didn't acknowledge the issue until CERT released a warning to consumers telling them to immediately stop using the affected devices. Four months passed between the first disclosure and Netgear's acknowledgement of the vulnerability, and Netgear knows that's unacceptable.

Here's what a Netgear spokesperson told Tom's Hardware in an email:

This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday, December 9th, when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

Netgear has now acted swiftly to address the problem. It's released beta firmware updates for 11 models of its routers in just a few days. If the patch resolves the issue, the company might have plugged a hole in its security that could have put its customers and the rest of the internet at risk. Still, this shows that even companies with the proper systems in place can miss vulnerabilities and demonstrates how hard it is for researchers to make sure their warnings are taken seriously.

The full list of routers affected by this discovery can be found below:

R6250R6400R6700R6900R7000R7100LGR7300DSTR7900R8000D6220D6400

Netgear is still looking into the issue, however, so customers should be on the lookout for any firmware updates regardless of which Netgear router you use.

  • dgingeri
    This is something that should have come back in September, considering the vulnerability was known to them back in August.
    Reply
  • sykozis
    Did you even read the article? They had no record of a prior report before Dec 9, so it was not known to them back in August. It's been known to them since Dec 9 when CERT notified them.
    Reply
  • jkhoward
    @Sykozis - Do you honestly think it fell through the cracks.. don't be a fool.
    Reply
  • NinjaNerd56
    FYI, you have to go after this manually. The firmware updates in the device UI can't "see" the beta .18 release.

    Download from Netgear and browse for the file, otherwise it's no joy in Mudville.
    Reply
  • dgingeri
    19003963 said:
    Did you even read the article? They had no record of a prior report before Dec 9, so it was not known to them back in August. It's been known to them since Dec 9 when CERT notified them.

    Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part.

    Yes, they knew about it in August. They disregarded it because their internal processes regarding being informed of such things failed to include or specifically excluded outside sources of such information. In other words: they don't consider communication with their customers as a priority.

    This has to do with management style. It is "old school" to only consider internal sources of information for such things unless forced. This was the way management was taught until the last 10 years or so. I know this because I have fought with it for most of my career. Many companies are still stuck in this mentality, even in the tech industry. Cisco, Oracle, Creative Labs, VMWare, and EA are particularly bad about it. Companies like this head off in their own direction, regardless of what their customers want, and then suddenly realize they have become irrelevant.

    More pioneering companies have begun to realize that this mentality is what causes big companies to fail to stay up in their markets. They began to take heed of what their customers had to say, and even began to solicit feedback from their customers. Microsoft started it with their constant focus groups, but have lagged behind lately, particularly during Steve Balmer's time as CEO. Bill Gates had the wisdom to work with people and find out what they wanted and how they worked to create an interface that people could use easily. (Thankfully, their new CEO has headed back in this direction.) Since then, others have started this, like Blizzard, which started a very active forum system to listen to their players' feedback.

    Netgear has always been a rather isolationist company. They have very little in the way of active support, let alone user feedback. Ever try to get tech support for a bad router? It takes weeks to get a replacement. Do you think they even have any way to submit feedback on bugs? That is why they failed at this. They aren't paying attention, to their customers, the direction of the market, or the quality of their products, and they are going to pay for it in the end.
    Reply
  • sam1275tom
    I gave my Netgear away and never buy that brand again since they refuse to fix the critical(and simple) bug on my jnr3210, now I'm looking at this and laughing, good work Netgear, screw all your customers continuously, you know they are all foolish and will buy your product again!
    Reply
  • hoofhearted
    You would think they would staff someone with a rudimentary knowledge of all thing security related who keeps up. Anyway to test:

    http:///cgi-bin/;ps$IFS
    Reply
  • hoofhearted
    Opinions?

    Netgear-updated-firmware
    tomato
    openwrt
    ddwrt

    I have read that you take a performance hit with ddwrt as it doesn't leverage some of the proprietary network driver stuff as the stock fw does.
    Reply
  • hoofhearted
    Also, if you run the above ps command and see telnetd in there, you may have already been hacked.
    Reply
  • dgingeri
    pfsense seems to be about the best way to go for a router, unless you want to get into enterprise level firewalls.
    Reply