(Update 12/20/16 at 9:53am PT: Netgear told Tom's Hardware in an email that it plans to release "final firmware for all of the affected routers" today. The company also updated its security advisory with additional information about what routers are affected and for what routers firmware updates are now available. Anyone who owns a Netgear router should check the company's website to see if they need to update the device's firmware.)
Netgear announced that it has released beta firmware updates for routers with critical security vulnerabilities. The company also said the problem was more far-reaching than expected, and that a security researcher's warning about the issue from August slipped through its reporting system's cracks.
The security issue could have allowed anyone to completely take over affected routers with a malicious website or advertisement. At first, the problem was thought to be present only in R6400 and R7000 routers; then it expanded to include R8000; and now, Netgear has added other models to the list. As the company discovers more products affected by this vulnerability, at least, it's also swiftly releasing firmware updates to improve their security.
"Acew0rm" on Twitter discovered the security problem in August. They said that they emailed Netgear about the vulnerability but never received a response. The company didn't acknowledge the issue until CERT released a warning to consumers telling them to immediately stop using the affected devices. Four months passed between the first disclosure and Netgear's acknowledgement of the vulnerability, and Netgear knows that's unacceptable.
Here's what a Netgear spokesperson told Tom's Hardware in an email:
This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday, December 9th, when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
Netgear has now acted swiftly to address the problem. It's released beta firmware updates for 11 models of its routers in just a few days. If the patch resolves the issue, the company might have plugged a hole in its security that could have put its customers and the rest of the internet at risk. Still, this shows that even companies with the proper systems in place can miss vulnerabilities and demonstrates how hard it is for researchers to make sure their warnings are taken seriously.
The full list of routers affected by this discovery can be found below:
Netgear is still looking into the issue, however, so customers should be on the lookout for any firmware updates regardless of which Netgear router you use.