Netgear 0-day vulnerability analysis and exploit
blog.grimm-co.comThe worst part is this isn't even just going to affect folks that would never think to update their router firmware. The firmware they do push out is frequently a massive downgrade.
About a year ago, I tried to update the firmware on my Netgear router. It was the exact model from the article, the R7000. I assumed "new update" for router firmware would involve some critical security updates, and maybe some stability fixes, but it basically rendered the router unusable. It would crash every few hours with normal usage. I googled around and turns out it was a known issue, the only recommended fix was "roll back to version x.x.x (2 versions prior). I found this fix months after it had been posted, and there had still been no new patch released to fix the issue.
When my relatives call me to fix their wifi, I now have to think twice about updating the firmware. These days I recommend the google wifi mesh router(s), because they just involve the least maintenance effort. They have less fine-tune controls and the wifi speed is slightly slower when you start approaching gigabit speeds (vs other high-end consumer routers), but it's definitely worth the trade off for me. Plus, anyone calling me to help with their wifi won't notice either of those things :)
> The worst part is this isn't even just going to affect folks that would never think to update their router firmware. The firmware they do push out is frequently a massive downgrade.
I worked there a bit over 10 years ago, so things may have changed, but honestly I wouldn't expect them to change all that much. For that kind of hardware (SOHO stuff), Netgear didn't have any software developers in-house. It was all outsourced to dev shops in Asia. The software was usually whatever generic thing the dev house had built, with customization for branding and enabling/disabling features Netgear wanted or didn't want. Occasionally they would pay to add features that didn't exist.
Netgear usually didn't get source code, and would only get changelogs for new releases (which weren't all that detailed). There were often many regressions, and all bug testing and feature verification was black-box. When something was wrong, it was often a fight to get the dev house to prioritize it, especially if they didn't think it was a critical bug (declaring a bug a shipping showstopper was usually effective, but you can't cry wolf all the time, and that only works for pre-release products, not updates).
I imagine things are better now; at the very least I expect these developers to have at least a little more awareness of common security issues and how to avoid them (definitely was not the case in the 00s), but I assume it's still a mixed bag. On the plus side, most of the current-gen hardware is beefy enough to run Linux, which a lot more developers are familiar with (IIRC a lot of the stuff back then was running vxWorks), which hopefully makes it easier to hire better developers.
If you want high-quality software on your networking gear, go with a company that you know is actually a software company, and not an outsourced hw/sw company. Products that are based on OpenWRT or Tomato or something like that are probably safer, assuming they haven't broken it with their customizations... but don't expect updates to new major releases. Having said that, I still buy Netgear switches and other stuff that's internal to my network and are generally relatively "dumb". They're usually pretty reliable and reasonably priced.
Highly recommend the synology line of routers. I've deployed a few of them for neighbors and have gotten exactly 0 calls. They mesh over wired or wireless, and for all of their faults Synology does a pretty good job of releasing software updates for their products for WAY longer than any other vendor I've worked with.
Just make sure you use the 2600AC as the primary router, the 2200s can technically function in that role but are pretty under-powered.
Does the 2600 allow you to set a static DFS channel? It looks like it might support an auto-switch mode but I can’t find anything specific.
>static DFS channel
This is a contradiction. The whole point of DFS is "if you detect radar on this frequency you must stop transmitting on it". This is typically followed by a change of channel to avoid an outage of the Wi-Fi, hence "dynamic frequency selection".
I know how it works. Static was the wrong word, but my current router (Netgear) lets you set a primary DFS channel, and based on my tests, the channel selected does affect performance.
As far as I can tell, there isn’t even a way to perform auto DFS selection on my current router.
The best thing about setting up Google wifi routers for your relatives is you can set yourself up as the manager of them, and manage them with the Google Wifi app from anywhere. So before Uncle Bob calls you about the wifi you'd already have got the notification that his cable service is down again.
I've had a pretty disappointing run with those Google Wifi routers...
It started with the lack of ability to have an open guest wifi... Like - it's for my guests, I want anyone to be able to connect, and I don't want to be faffing with passwords or guests having to ask me... I have to name my network "My House - Password Is password"
Then every month it seemed to do some kind of update and disconnect wifi devices... Sure - it's only for 30 seconds, but a disconnection is a disconnection. Thats going to boot you off whatever game you are playing...
And now I've got the trouble that as you have a bunch of mesh points, you can't walk between them without glitches in a video call... Like seriously - I should be able to start facetime and walk round my house without random freezes for 5 seconds while it reconnects to a different mesh point.
Google Wifi has been out for years now, and not a single one of these bugs is any better than it was at launch. Not really acceptable for a $400 router setup!
Google Wifi just released a new version in June 2020. The one before that was October 2019, and June 2019 before that. That's only 2 updates per year. How disruptive is that?
If it means the software is up to date, then I can live with an interruption. It might be nice to have power controls, but I think they do a fair job keeping the UI simple. That's not to say a power user UI couldn't be added, but it certainly increases the testing burden to add new features that need to be tested for regression.
Sorry to be "that guy", but how about not giving an advertisement company access to all your network traffic (while paying them for the privilege)...
Almost every router supports some form of remote management (or just put TeamViewer on their machine). Most also support dynamic DNS so you can set up a ping check for the "its down" notification.
The fact that I've paid them for the hardware gives me more confidence that I'm not the product. Ironically, the fact that I can get TeamViewer for free and use it to get remote access others' computers makes it feel like a higher threat attack vector for me.
Before I bought the Google mesh wifi, I already had android, chrome, project Fi, and Google's DNS (router level) at various levels of my request stack. That's not even counting search, gmail, and calendar. If Google are playing shady games with my network traffic, whatever marginal gain they get from having software on my router is negligible. Especially compared to the awful PR backlash they'd get once somebody hooks some monitoring gear up to their hardware and exposes it.
> the fact that I can get TeamViewer for free and use it to get remote access others' computers makes it feel like a higher threat attack vector for me.
I agree. I gave that example because I personally use it, but would prefer to move to a self-hosted or inexpensive paid solution. I've always assumed the free version has sufficient business value as a lead-generator for the enterprise version, but there's no reason to assume they don't also monetize usage data.
> I already had android, chrome, project Fi, and Google's DNS ... whatever marginal gain they get from having software on my router is negligible.
That's a totally fair way of looking at it, and I'd probably use Google Wifi with little hesitation if I were you. But this isn't the case for everyone. IMHO tech folks need to be mindful of privacy implications when recommending tech to non-tech folks, because we have the benefit of understanding those implications. FWIW, my immediate family would be displeased if I installed a Google router for them and they later figured out Google's conflict of interest for themselves.
You are concerned about Google having "access" to network traffic, but you have no concerns about putting TeamViewer on someone else's machine?
TeamViewer's publicly-known business model has nothing to do with advertising or otherwise monetizing your private data, while Google's does. There's nothing inconsistent about using one while avoiding the other.
That said, I agree TeamViewer in a position to collect & monetize my usage by nature of being cloud-dependent & closed-source. I'd rather use an open-source self-hosted option. Haven't found a good one yet, but that doesn't mean we should ignore privacy hazards where they can be easily avoided.
Sorry to say that you are "that guy" and your comment, in addition to adding nothing to this conversation, also detracts from HN generally and contributes to the perception that it is an unserious place haunted by the deranged and irrational.
"Google Wifi and Nest Wifi devices do not track the websites you visit or collect the content of any traffic on your network."
Disagree about "adding nothing". We're talking about hardware for nontechnical family/friends, who might not understand the conflict of interest. It's not nice to project your apathy/disbelief that Google would abuse the access onto those people.
The name-calling is really not necessary. Why not make your point on its own merits?
The doc[0] you're quoting continues to list a bunch of things they do collect, including some with no opt-out. Way to cherry-pick.
Even the part you quoted does not exclude traffic metadata.
I do this with my elderly parents. Doubles as a "powers gone out - are they freezing" alert.
Another brand i vouch for is AVM, their routers are all over Germany and they're reliable workhorses for years...
Maybe, just maybe, someone should start a list with vendors that put out shitty software on their devices, never deliver firmware updates and have stupid exploits...
>Maybe, just maybe, someone should start a list with vendors that put out shitty software on their devices, never deliver firmware updates and have stupid exploits...
You might as well just list every vendor, the exceptions are rare and don't always last.
> Maybe, just maybe, someone should start a list with vendors that put out shitty software on their devices, never deliver firmware updates and have stupid exploits...
I don't disagree, but perhaps it would be better to list the vendors that push bad software and whose hardware doesn't let you run a better firmware. After all, if the hardware is decent and can run OpenWRT or such, who cares how bad the stock firmware is?
One of the redeeming features of the R7000 is that it can run AdvancedTomato, DD-WRT, etc.
DD-WRT on the R7000 is flawless.
I even run nginx as a name-based proxy on mine, with load balancing! Works like a champ.
For all software, we need 2 branches... one with feature updates and security fixes and one with only security fixes (Maybe AI will figure out a way to make this happen). That would reduce the number of bugs in one of the branches.
> I found this fix months after it had been posted, and there had still been no new patch released to fix the issue.
D-Link isn't any better, many of their firmwares to fix KRACK were in Beta for 4 years and many are still in Beta.
I am sick of having to assume my network hardware is trivially compromised.
What will it take for me to be able to purchase a microkernel driven router/access-point with audited drivers (or Rust based)? I would settle for mediocre performance (ie no gigabit) if I could have some strong security guarantees.
Can I setup Redox or seL4 as home network hardware at this point? Or would the pain threshold still be quite high?
I run an OpenBSD router at home. I'm not sure if that would satisfy your security requirements.
> I am sick of having to assume my network hardware is trivially compromised.
I don't have the gateway my ISP gave me on my LAN for this reason. I do have to laugh a little bit about people who use a VPN to hide requests (DNS? Because most of the web is HTTPS, now) from their ISP when their ISP has a device on their network.
Even personally owned hardware has its risks from today's ISPs. DOCSIS standards require every off the shelf cable modem to basically have giant "management" back doors for the ISPs. They can remotely install firmware updates to your modem that you own for "your safety" and there's not much you can do about it.
The tough part in my opinion is the access point. You either have to:
- Put a wireless card in the router, but a lot of them are crap (limited features, not dual band, require closed firmware, not compatible with *BSD...)
- Buy an access point appliance, but most of them are as secure as the Netgear devices of the fine article.
> - Buy an access point appliance, but most of them are as secure as the Netgear devices of the fine article.
1. The AP isn't directly exposed to inbound traffic from the internet.
2. You can put the AP's management interface on a VLAN without internet access and/or use firewall rules to the same effect.
I'm way less worried about the security posture of my AP than my internet-facing router.
Get an enterprise router/firewall.
Also most of these vulnerabilities (as the article points out) are in the web server. If the web server isn't exposed,it isn't of much practical security concern.
I've also run DD-WRT for years with excellent results. Per the usual benefits of open source and active maintainers, it is generally going to (a) have the trivial stuff already addressed (b) keep up to a reasonable extent with security patches.
>>> Get an enterprise router/firewall.
I would have said the same some time ago, working in networking in a world largely made up of Cisco.
But then a few major vulnerabilities later and blog posts disclosing vulnerabilities that they refused to acknowledge when contacted. Then I'm not sure paying for enterprise equipment is a solution anymore.
You seem to imply that by virtue of being a microkernel, an OS will be imbued with magical powers preventing it from being compromised.
It's another reason once you bought a router to reflash it with alternative firmwares as OpenWRT or DD-WRT
The last time I looked into OpenWRT/DD-WRT (years ago), it seemed disadvantageous to switch to them because they would be slower than stock firmware due to missing some kind of hardware support. Is this still the case these days?
EDIT: It sounds like the situation for my router (R7000) is quite the opposite now, apparently being almost twice as fast due to new hardware acceleration features.
DD-WRT is has access to some proprietary (Broadcom?) code which enables NAT acceleration on some models which, at least in my case, greatly improved performance over OpenWRT.
Exactly. They have signed an NDA with Broadcom: https://openwrt.org/meta/infobox/broadcom_wifi
"DD-WRT has a license agreement and NDA in place with Broadcom that allow usage of better, proprietary, closed source wireless drivers (binary blobs) which they are not allowed to redistribute freely."
Not in the specific models I looked at.
I personally use a Linksys WRT3200ACM.
It's faster in my scenario. YMMMV.
What's the deal with no signatures on OpenWRT firmware images.
I noticed there's a gap in some of the affected lists. (Mainly the MediaTek/Ralink mipsel hardware) They don't appear to have the same httpd binary talked about here. (Instead they have a mini_httpd?)
They do appear however to be still very vulnerable to CVE-2020-8597 (no PIE or stack cookies, probably RWX stack) and for the one device I took a look at (R6700v2), the firmware image hasn't been updated since last September.
Oh well.
I've used Apple routers for many years, but since they've been discontinued I wonder what I'll do when I need to replace them. All the major alternatives seem to have crap software that requires frequent reboots and has security issues.
Can anyone recommend an awesome wireless router that works great off the shelf? I don't want to have to learn how to flash it with DD-WRT.
In my experience, the biggest gain is from separating the router from the wireless AP. It lets you choose among more affordable, purpose built and higher performance devices.
Specifically I would recommend the TP-Link EAP line as a wireless AP (the $50 EAP225v3 is very good). Extremely simple to configure. Routers that perform well require configuration unfortunately, especially economical ones like the Microtik ($50). It lacks out of the box settings for port forwarding and hairpin NAT, though it has the simplest secure VPN setup I have ever seen. The only router that competes with its performance (ie can route gigabit Internet at full speed) with easy config is the Cisco RV340, which costs $220 and is 3 years old.
Apple discontinued its wireless routers because they were bad. Apple routers run an ancient and naturally no longer patched version of NetBSD. They have terrible wireless performance on the worst Broadcom chipset with awful quirks. They mix with non Broadcom wireless devices extremely poorly (typically Atheros is the high performance pick). They are extremely slow, not at all suitable for gigabit Internet. If you update the port forwarding they must restart, and take down your internet. However, they are basically purpose built for correct macOS and iPhone multi-AP WiFi hand-off. There are things they do that not even enterprise hardware does right or may ever do right, simply because Apple does not document the magic that makes it possible. Or because Apple uses such bad chipsets with so many quirks, that only those quirks all working together do things go right. If I were you, I’d eBay away your 7 year old Airport Express to some greater fool, and use that surprisingly large amount of money to buy good stuff.
Anyway, most people shove their wireless AP into a bookshelf, taking at least 30% of their internet bill worth of performance and lighting it on fire. People use mesh networking wireless, like the Eero, something so abjectly bad it boggles the mind, because they’d rather spend $300 once to only use 50% of their internet’s monthly value than $10 once on Ethernet cable to get 100% of it. Sometimes they buy Ubiquiti hardware, which is ancient and overpriced at this point, and wind up paying for some internet configuration license that makes no sense. I really pity the people paying a monthly fee for mesh wireless configuration. This stuff is extremely marketing driven, it is in reality just the same exact commodities (two possible wireless chipsets and Linux) remixed into whatever crap Google thinks will convince people to let them gather home networking telemetry.
But configuring a Microtik is not easy. So there you go.
I'm surprised to hear you recommending TP-Link. They've had several serious security issues that have been discussed on HN[1]-- do they worry you?
Also, why do you dislike Eero? Someone else on this thread recommended them, and they do have many glowing reviews.
I used to have apple gear, replaced it with a edgerouter for a while but that was too much of a bother. Now I got a amplifi HD which is more or less a apple experience in a good way.
Eero
I almost went full Unifi, got lazy and got Eero. So far everything has been fantastic. It's not perfect but it works and delivered on its promise. Speed is fast, it's not Wifi 6 but neither are any of my devices. Paid full price too, not a shill here.
Ubiquiti has a consumer/prosumer brand called Amplifi now. It's got the ease of something like Eero but the decade of experience of Unifi. (They also already have a WiFi 6 mesh router at the top of the line on the prosumer side.)
I recommended an Amplifi to some friends that aren’t computer-savvy, and didn’t hear back. (Their previous router was crashing frequently.)
I visited them a few months later and noticed it, so I asked about it.
They had kind of forgotten about it. There were zero problems setting it up and zero problems since. They said they thought it was kind of pricey.
If I remember right, it was $50 more than the cheapest (but terrible) one with similar specs. It was $100 less than an expensive, terrible and comparable one.
I can’t imagine a more favorable review of consumer networking gear. :-)
Also, I have had zero issues with the Ubiquiti access point I use at home. I have a pcengines apu2 OpenBSD router, so I can’t say much about their routers.
Very similarly, I recommended Amplifi to my parents. They've had a couple issues with it, but that's due to a complicated bit of their new house more than Amplifi itself.
The house they just moved into had a strange audio LAN wired through the house when it was built. The audio LAN had a couple CAT-5E ports for "expansion" (presumably?) on each floor just about perfectly located for WiFi AP backhaul. So I worked with my parents on a plan to try three of Amplifi's routers rather than one AP and two "Satellites".
This seemed to work alright. The Amplifi phone app wasn't great about setting up a multi-AP mesh of that sort just yet (as opposed to the focused use case of one router/AP and several "satellites") and didn't always have the best experience (in navigation/details), but other than UX complaints, the system just works as expected.
However, my parents then discovered that there were "hidden" components also wired to the Audio LAN somewhere between the primary Audio LAN router and the "expansion ports", which meant that some of the system's speakers stopped operating. (It would have been great to have a wiring diagram of the whole LAN. We did a lot of trial and error discovery on this.)
So my parents decided to "turn off" the backhaul by reconnecting it to the Audio LAN. There was angsty confusion that they "broke" the WiFi because they ignored/forgot my explicit instructions to disconnect the router's WAN cables on the house ports that were now again Audio LAN ports. As I had expected, once disconnected from the confusing (to people and devices alike) Audio LAN, the Amplifi Routers straightened themselves out and switched to a more traditional bridged mode ("wireless backhaul") as if they were mere "satellites".
According to the math I did, my parents paid a lot less for that experiment with all Amplifi routers than if they'd tried it with "full" routers of any of the other brands we'd comparison shopped (and none of them seemed to offer an ala carte buying experience similar to Amplifi's section of Amazon), though obviously more than if they'd bought only one router and two satellites of any of the other brands in the first place. The extra LAN port on the Amplifi router is still critical to them on one of the floors (a home office VOIP system that "requires" a wired connection) and they couldn't easily swap at least one of the routers for a Satellite anyway.
Other than the crazy backhaul experiment confusion, my parents haven't had any problems. I don't think we could have ran that experiment with any of the other brands. My parents seem happy with the purchase and the quality of their WiFi on all three floors, which was the important thing for them, and I get the feeling they were happy with the price despite "over-paying" a tad due to the experiment.
My only concern with eero is that they're owned by Amazon. It might be fine, but it's the kind of thing that makes me nervous, particularly with "smart" systems.
Treat these devices like PCs:
See the installed system as "example installation to demonstrate functioning". Like HP with the bundled Crapware on PCs.
Just install OpenWrt as soon as you did a basic function test. And only buy hardware you know to be compatible.
The problem with than plan however, is that many of these devices tend to depend on arcane network hardware acceleration features in order to reach decent switching throughput.
Which rules out OpenWrt on some of the lower-spec pieces if you have a faster WAN connection (Ie. 1gbit), as I don't believe they have support for these on many platforms. (MT7621 is referenced as supported, and Qualcomm's "SFE" being supported in community builds)
Qualcomm SFE has been replaced in OpenWRT with the more generic "flow offload", on an R7800 you can get gigabit speeds lan to wan.
Wireless is still lagging as the IPQ8064 has two NSS packet processing cores which, amongst other things, also accelerate crypto, including WPA.
I've got an R7800 running router duties on OpenWRT and then a Netgear Orbi RBK50 set running in AP mode which works well for my needs.
There IS a community effort to port the NSS acceleration (which accelerates qdisc and therefore traffic shaping with SQM) from the QSDK sources, but it's slow going.
You have to be careful when purchasing a device intended for use with OpenWRT. Not all low end devices are appropriate (specifically Broadcom based devices, which require proprietary software only available from the vendor or somebody signing their NDA like DD-WRT).
The IPQ40xx devices tend to be well supported, though. Be sure to refer to the hardware list to see if a device is really supported before buying it.
> Which rules out OpenWrt on some of the lower-spec pieces
it's ruled out in any case as of now, because the current releases require (or at least strongly recommend) 64 MB of RAM, which surprisingly in 2020 is a problem in the networking world (for the cheapest -under 70$- devices)
Openwrt on Mt7621 is phasing out hardware accelerated NAT
In SOHO devices like the R7000, the web server must parse user input
from the network and run complex CGI functions that use that input.
Furthermore, the web server is written in C and has had very little testing,
and thus it is often vulnerable to trivial memory corruption bugs.
They're running CGI and writing homemade web servers in C because they haven't maintained or upgraded their software in decades.
I don't think they are low power devices. My bet would be they're relatively normal hardware running a light linux. It takes quite a bit of power to route gigabit ethernet or ac wifi.
> They're running CGI and writing homemade web servers in C because they haven't maintained or upgraded their software in decades.
Sometimes, certainly:) However...
> I don't think they are low power devices. My bet would be they're relatively normal hardware running a light linux. It takes quite a bit of power to route gigabit ethernet or ac wifi.
It doesn't take much compute to handle high-end eth/wifi if you offload it to hardware, and even doing it on-CPU (which I don't think is actually common) probably wouldn't impact RAM/storage, so you could still manage with a stronger CPU and comically tiny memory.
Rust isn't magic. And you can write CGIs in any language. Shouldn't we also ask why are they using their own web server? or why a company with millions of devices deployed has done little testing?
> Rust isn't magic.
Let's not going to that debate. It's a good start to improve security postures, regardless how you spin it.
But more importantly, my point is why are they doing CGI at all?
There is nothing wrong with CGI. It's simply a standard to forward a request from a web server to another application using environment variables and stdio. Generally, you want your router routing, not wasting CPU and memory running admin applications that are used less than once a month.
CGI is still great environment for simple webapp on embedded device. Using Rust is normally overkill and increases complexity. Python/PHP should be enough.
BTW quality of embedded webappa is mostly sucks.
I gave up on netgear long ago for access points. Been running stuff from https://mikrotik.com/ since 2016. They are a bit dated in some areas, but they are cheap and I've never had any issues.
Reading stuff like this makes me glad I ditched consumer grade all-in-one stuff and went with a $REAL (feel free to substitute appropriate brand) router and stand alone AP.
That's not a workable solution for the vast majority of the population.
Sadly not. You generally have to be very technically inclined to use something like Mikrotik (which is what I'm using) and even the Ubiquiti stuff isn't as easy to use as it could be.
Ubiquiti has a consumer/prosumer brand now called Amplifi. I set it up at my parents' and it was a breeze. It's adapted well to some strange network situations they had. (A long story but they moved in to a place with an ancient audio LAN wired through the home and we explored various configurations of detaching portions of the audio LAN for WiFi backhaul.)
Does Amplifi require some cloud login before you can use it? One of my annoyances recently is that the WiFi providers have an iOS app but require you to log into their servers to configure the thing on your local network.
It's been a couple months since I set it up, but as I recall Amplifi did not require an account to set up your mesh.
It offered an optional "cloud" account system for remote administration (such as giving guest access when you are away or rebooting your mesh from your phone when your guest complains about the network not working, and so forth), but did not require it.
That's good to know and I'll definitely check that out when it comes time to recommend something for some of my less technically inclined friends and family.
Maybe better than typical SOHO, but I have been disappointed with Mikrotik stuff as well.
My RB3011 has been pretty much rock solid for me. If you don't mind me asking - what kinds of issues have you run into?
Wireless performance isn't great (20$ clunky china routers are usually faster), SXTsq that always slowed down horribly after few weeks of uptime, hAP Lite firmware that died (had to be reflashed from netboot, config gone), many software problems with SXT LTE6 (stopped working after upgrade, still broken after downgrade, mysteriously after hour of flashing various versions it suddenly started working again. Incoming voice call to modem SIM card just breaks connection, and it never fixes itself automatically, you need to manually down/up interface. I now fear touching anything in this installation at all).
Predictably, the web servers are an afterthought for branding so that users don't have to edit configuration files and operate at a command line.
(a) 99%+ of people buying these things do not know or care about security, aside from someone stealing their WiFi bandwidth (b) the manufacturer does not care because of (a).
As follows, all they care about (WRT to the web server) is that they are easy enough for non-technical people to setup such that they don't end up on a tech support call or returning the device for a refund. That is it.
If you are the 1% that cares about security on your home network, it is far less stressful to simply conclude these products are not for you and move on with your life. You should be looking at enterprise hardware, open source router firmware, or rolling your own.
In any case, what surprises me is that over time the router manufacturers haven't simply built up a single, relatively patched-up, web server implementation that they re-use. Even without aligned incentives, you would think over years and years of development they'd have something at least as good as what you can clone out from from github for free.
Why is this a big deal since you can exploit the vulnerability only when you are connected to the local network? (I've seen some of these exploits used to replace the installed firmware with openwrt)
In general, this is not a safe assumption to make -- for example, due to DNS Rebinding attacks.
The article also mentions that the exploit is working remotely:
> As the vulnerability occurs before the Cross-Site Request Forgery (CSRF) token is checked, this exploit can also be served via a CSRF attack. If a user with a vulnerable router browses to a malicious website, that website could exploit the user’s router. The developed exploit demonstrates this ability by serving an html page which sends an AJAX request containing the exploit to the target device.
Also, if you're replacing the firmware, the new firmware can create an outgoing root shell to a destination of your choice. There's no internal limitation here.
Is there any mitigation for this? AFAICT netgear has not released a patched firmware for this bug yet. Anything else that can be done?
https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2...
>* R6300v2 version 1.0.3.6CH, 1.0.3.8, and 1.0.4.32
>* R6400 version 1.0.1.20, 1.0.1.36, and 1.0.1.44
>* R7000 versions 9.88, 9.64, 9.60, 9.42, 9.34, 9.18, 9.14, 9.12, 9.10, 9.6, and 8.34
Strange, my Netgear R6700 is not on the list. Does that mean it's unaffected, or they simply didn't have that model on hand to test against?
There is a much longer list within the comments of exploit.py
It appears they may have scraped the Netgear site and run all the images through binwalk + objdump to make the list.
Wow. This is gonna be bad.
Routers have been full of stupidly bad bugs for years; nothing really new here. I recall analyzing one a while back and finding that it used session tokens to determine whether one was logged into the interface. These were derived from the uptime with triple des, but the nonce was a constant string of text and the key was based off of interface mac addresses. One has to wonder, at that point, why do anything at all?
> One has to wonder, at that point, why do anything at all?
Still prevents the most casual attacks; obscurity is sorta technically better than nothing. (Or worse, of course, if it gives the incorrect appearance of actual security...)
Reports of 0days always make me consider projects like OpenWRT and Tomato. I wonder how fast a non profit project can patch compared to OEMS.
Im surprised no one has made the semi-obligitory "buy Ubiquiti Edgerouter X/Lite and throw in a NanoHD" comment.
As someone who recently got the Dream Machine Pro with NanoHD access point, most of the consumers will not want to deal with such a setup. Also, Ubiquiti has their own issues to sort out as well.
>Also, Ubiquiti has their own issues to sort out as well.
I also own a UDM Pro, and this is an understatement.
Is Netgear the new Adobe (see: Flash) ?
Slightly off-topic: any not-made-in-china router recommendations?
AVM, I think (but not sure) that they're still made in Germany
Mikrotik
They are made in china, at least the last I bought (at least the company and the software are not chinese, of course)
Yes, but OS (firmware) is built in EU.
Technically someone somewhere make a electronic plate and sold some elements on it.
But difference is who is wrote a software on top.
?
Who wrote a software (and designed and sold the whole thing) is some difference, much better than nothing, but the "electronic plate" can still be filled with backdoors and other gimmicks...
Draytek