back to article Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor. Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are …

  1. chuckufarley Silver badge
    Coat

    As a Faithful Agnostic...

    ...I would like to say "God bless dd-wrt!"

    1. TheVogon

      Re: As a Faithful Agnostic...

      And a non fictional character bless Open-WRT!

  2. Anonymous Coward
    Anonymous Coward

    Funny, Chrome on CentOS 8 accepts their certificate for kb.netgear.com, but Firefox doesn't.

    1. Anonymous Coward
      Anonymous Coward

      Firefox on Windows ei fine with their cert.

  3. Evil Harry

    I'd have hoped with Netgear's enterprise aspirations, they'd be more clued up and responsive to security issues but I guess they never lost their SOHO mentality.

    1. chuckufarley Silver badge

      Wait, what...

      ...Did I miss something?

      NetGear had a mentality? As in an intellectual force driving the business and not some amorphous conglomerate of greed?

      Well, even if I did miss it at least I didn't miss much.

      1. Anonymous Coward
        Devil

        Re: Wait, what...

        Their mentality is to try to fix bugs (to the extent that they are capable) as soon as they get published by the general press (but not a moment before).

  4. Tubz Silver badge

    So do nothing, your router may get owned, patch and your router may fall over or perform like a brick, as we couldn't be arsed to test it in time before the flaw was made public. Well done Netgear, glad I dumped your brand years back !

    1. J. Cook Silver badge
      FAIL

      That's perfectly acceptable- I bought an R7690P back in december which apparently has a flaw in it that when you power cycle the device, it reverts to factory defaults. Netgear's response is "take it back to the purchase place for an exchange, or pay for a support call to swap it, even if it's under warranty."

      I replaced it with a TP-link something or other and DD-Wrt'd it- even though that firmware is still beta, it doesn't lose it's config after a power cycle...

      I'm done with Netgear at this point for good.

  5. Anonymous Coward
    Anonymous Coward

    Good wake-up call

    I haven't looked at the firmware on my Netgear Orbis for a while, bad me.

    Yeah, that fix isn't there yet. Still at least patching up to the latest release.

  6. Anonymous Coward
    Anonymous Coward

    I would never connect a wireless router to the internet except through a separate, stand-alone firewall with the default "drop all" rule. This limits the risk to your geographical neighbors. It "fixes" nothing but lowers the risks.

  7. Big Al 23

    Netgear doesn't seem very responsive to security issues unless they are publicly embarrassed.

  8. RM Myers
    Unhappy

    Grimm

    "Grimm: publishing an in-depth advisory showing how to exploit the holes, and released full, working proof-of-concept exploit code".

    I feel really conflicted about this. Yes, Netgear should have patched their routers. But how many home users update the firmware even when an update is available. I'm on my 4th router, and none have ever had a process to notify me that an update was available, let alone actually automate the updating. I have made it a habit to check Asus's website on patch Tuesday (my current router is from Asus), but does anyone really believe more than 10% of people ever check for updated firmware, if the router is still working.

    Given that reality, why publish exploit code so any jackass with time on their hands can hack people's networks. Until we have processes in place to make router (and other internet connected IOT devices) updating simple and a common practice, this seems like nothing more than showboating which hurts security, rather than helping. Free advertising for Grimm, but hardly a benefit to security.

    YMMV

    1. Roger D. Parish

      Re: Grimm

      My Netgear R6700 has the option to automatically check for and apply patches. I have it turned on, and it has worked at least once.

  9. Anonymous Coward
    Anonymous Coward

    bit of a beatup, can only be performed from a local network by default.

    1. Anonymous Coward
      Anonymous Coward

      In the fourth paragraph of the article it states that this is exploitable over the internet if the machine is exposed (as it will be in most circumstances as it will be the user's edge device).

  10. Rockets

    Just Another Reason Not to buy Netgear

    I've avoided Netgear products for a long time now. The only thing I'd buy from them is a 5 or 8 port unmanaged switch as they seem to be able to make them reasonably well for low cost but there's plenty of other players in that space now too. I had a nasty bug in Netgear ProSmart switches that would let broadcast traffic traverse VLAN boundaries such as DHCP requests, played havoc on a LAN until I found it. Netgears approach to security has always been very ordinary.

    1. Jay 2

      Re: Just Another Reason Not to buy Netgear

      I dumped them a few years back after I had two different models both decide to do something strange with WiFi unless you powered on a wired device. Unlike yourself I wouldn't give them the time of day when I needed a 5 port unmanaged switch, so got a cheapy TP-Link one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like