If you own one of these 45 Netgear devices, replace it: Kit maker won't patch vulnerable gear despite live proof-of-concept code Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vuln was revealed publicly in June by Trend Micro's Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind …
Some of these are not routers, though. For example the WNCE3001 is a simple wifi-ethernet bridge, USB powered, which was useful to connect devices without their own WiFi (i.e. my Sky box).
Even difficult to replace now because this kind of device is mostly extinct, usually smaller and cheaper extender come with a built in AC plug making putting them where reception is good an issue, and buying a whole AP or mesh node just to connect a single device is more expensive.
For now I firewall it to keep it safe.
If you have an ISP supplied router you should run it in bridge mode (if supported, if not see if they have a different model that does support it) and use your own router instead. Then you can insure it is kept up to date and secure (ideally with DD-WRT, OpenWRT, or similar)
Unfortunately while this is trivial for the typical reader of a site like this, it isn't really feasible for the average consumer who ends up doubly screwed by their ISP using a product that's no longer patched, or even if it is patched that the ISP doesn't deliver those patches to customer devices.
I've tried, with my shit Virgin up that has the shitest built in aerials but, the Draytek it is bridged too, gets an IP address yet doesn't ever go out to the Internet. I don't know what Virgin are doing to it but it refuses to get an Internet connection so I'm still stuck with the shitty Virgin hub.
I feel your pain with that terrible Virgin hardware, but trying to replace with DD-WRT on an Archer C9. It's only been relatively recently it's been that hard to use modem mode with a Virgin super hub, so I guess some firmware update messed things.
This https://community.virginmedia.com/t5/QuickStart-set-up-and/Superhub-3-Modem-Mode-No-Internet-No-WAN-IP/td-p/3379154/page/2 was the magic post for me. Although a few others had useful hints.
* Make sure you use the same LAN port on the back of the superhub, the one closest to the coax cable seems to be the consensus
* Reset the router into HUB mode with only your PC connected, let it get the MAC address
* Plug everything back in and clone MAC address from PC to your intended replacement router
* Make sure you are not requesting a hostname in the DHCP address.
* Switch the superhub back to modem mode and reboot router.
Cloning sometimes seemed to work, sometimes not. I just know it's some magic combination of the above. YMMV.
Not strictly related but I have a couple of BT HomeHubs but as is my luck, they are both of the version that isn't suppoorted by Open-WRT.
Maybe that's why BT didn't want them back :-)
If you do want to upgrade to OpenWRT - which I'd strongly recommend you look at BTW, make sure that the hardware you get IS supported. It can literally be a difference between a '-A' and a '-A2' in the part number :-(
My tplink router is supported by DD/Open-WRT - indeed I checked before I bought it. However, the upgrade (side-grade?) gymnastics (for my particular device) turned out to be more than a little contorted, and so it has stayed with the manufacturer firmware. And I'm not that sure I want to risk a sudden "device-bricking related internet outage brouhaha" (aka D-BRIOB) during the current must-work-from-home situation.
Quite a few of them are broadcom based which tends to mean openwrt is not an option due to lack of open source drivers. dd-wrt handles some of them though.
Amazing anyone buys their products anymore given how it seems every year a major security hole is found in just about all their products, and then they fix half or 2/3 or them, and ignore the rest.
I contacted them to advise them that they'd been added to the "do not buy" list.
Damn, their support website is embarrassingly terrible: trying to validate input while I'm still entering it, sending me verification emails with no verification link(?!), and when I try to upload a screenshot to illustrate how their support site is broken and terrible, I get a 403. Lol.
Maybe avoiding their kit won't be a pity after all.
The CSS on that advisory page linked to in the article is horribly broken too. The right edge of the text is unreadable in Pale Moon.
I'm not interested in doing any more business with a company that not only won't support its products, but can't even employ a competent web author. (There's no need for a "web designer" for something this trivial.) I've only had one Netgear product, but it'll be the last and only one.
The problem, of course, is finding anything better. People used to recommend Ubiquiti but their prominent recent failures in support and privacy have put them too on my do-not-buy list. It's hard to find one of the specific models that are supported well by DD-WRT because vendors change them so often.
The right edge of the text is unreadable in Pale Moon
Well obviously that's your fault for not using chrome. Duh. You can hardly expect people to write CSS that works in a compatible way. It's not like it's a well-defined standard and pretty straightforward to do for anybody half-way competent.
overflow-x is sooo overrated and soooo 2017. No way anybody could possibly want to scroll horizontally on a table full of data. Didn't you know? Everybody uses chrome running maximised on a desktop at 1920x1080.
I almost expected a "This page best viewed in IE6" logo at the bottom of the page.
There's no need for a "web designer" for something this trivial
Yeah. Like the input validation thing: if they had done any UAT at all this would have shown up.
I said in my support ticket that it looks like somebody's twelve-year-old nephew has just figured out how to install Visual Studio. Now I'm thinking that I overestimated them and it was actually an eight-year-old.
The problem, of course, is finding anything better.
Indeed. Cisco perhaps? Are they terrible as well as expensive?
But I think this sounds like a problem for future AntiSol to deal with - I think I'll just hope that none of my current kit breaks. Ever ;)
dammit, of course I noticed 11 mins after posting that it's actually not overflow-x, it's widths set in element styles on every td element in the table (zomg!), combined with nowrap. I can't decide whether that has been added by a braindead web author or a braindead javascript library.
Interestingly, the table only displays properly in chrome because chrome is ignoring the nowrap attribute they've added for some reason I can't be bothered to debug.
it affects waterfox, too, not just pale moon. I'd be curious to know whether it shows up in the latest firefox (but not curious enough to install the latest firefox).
Netgear has been off my “buy” list ever since the DGND3700 v1 ADSL Router I bought in 2011 was EOLd 13 months after release even though the ADSL support was still fucked and not working properly. I managed to get it mostly reliable thanks to a beta version of the firmware, that was never officially released, from support after much nagging. Even then I had to download it from that well know legit file distribution service Dropbox. Support was switched to the v2 Hardware released 6 months later.
They abandoned HW they knew was not working to spec because selling stuff is more profitable than supporting it afterwards. Netgear can go fuck themselves with a big rusty razor blade.
In comparison my Draytek router is 3+ years old and still getting new features plus bug fixes.
their modems were great, i remeber a DG834g getting sync on a line that might as well have been wet string....
but times change, and all the suppliers iu used to rely on have either been bought or mis mangled into being useless now.
Might have to do some research and replace my aging business grade box with something new....
Out with the low-end components for us... We've had so few issues with our new vendor, that I'm forgetting how to do things on their interfaces. Seems like we were always hunting down a performance issue\setting with NG and I was poking round regularly.
Off my personal list as well. From what I can tell, the WiFi radios tend not to last past a year or so. True or not, the "refurbished" one I bought stopped working for WiFi soon after I bought it; I ended up buying an RT-N56U and setting it up as an access point to handle the WiFi.
Not sure how much I'm liking Asus right now, either. I recently bought a GT-AC5300 and paired it with an RT-AC68R via AiMesh. My duplex is small enough that AiMesh should be overkill, but I had the 68R, so why not? Turns out the 5300's WiFi continually disconnects, even from devices less than two meters away. OTOH the 68R is rock-solid, so I moved it to a more central location and we've been happily using it ever since.
So much for MU-MIMO being the be-all to end all. My high-end WiFi router doesn't even WORK.
"calls from government agencies for new laws forcing manufacturers to reveal devices' design lifespans at the point of purchase"
How will PCWorld/Currys survive?
"Would you like to extend the guarantee on that router that we just found in the back of the warehouse?"
A better legislation would be to enforce a minimum guaranteed lifetime with support, particularly for consumer level products as the buyer is really only interested in buying an item and switching it on. Expecting the average consumer to keep up with security and continuing updates when most of them don't really understand how their electric kettle works, is asking a lot.
Seeing as it's clear (and I imagine admitted by Netgear) that the fault has always existed and so existed at time of purchase, I wonder how they can reconcile refusing to fix the problem with EU directive 1999/44/EC?
AIUI, after 6 months the consumer needs to prove the fault existed at time of purchase (which I imagine is now trivial) and so the consumer is entitled to repair / replacement / refund within 5 years (or a reasonable period for the product).
My (admittedly lay) interpretation would be that a router should reasonably last 5 years and so for those newer than this Netgear could find themselves on the receiving end of a lot of returns... to the point I imagine it would be cheaper just to roll out firmware updates!
Can't argue with you there. I'm using pfsense myself.
However, I'm still not sure whether Netgear not bothering to patch a vuln which likely has little real world application and isn't hitting any devices newer than 5 years old is really something to keep me up at night.
Netgear may not support old kit, but are any of the other vendors of consumer grade routers that much better? I've had 6 different routers over the years, from 5 different vendors, and my current ASUS router has had the longest support of any of them at just over 3 years and counting - not that impressive. The last two before the ASUS, from Linksys and D-Link, didn't get much more than a year of firmware updates. And no I don't believe their routers didn't need updates - they just didn't want to spend the money.
Consumer routers, and internet-of-shit-things is just a disaster in the making.
I have an ASUS RT-N66U which I brought back in July 2013 (I think had been out a year or so) and the ASUS webpage lists latest firmware as of June 2020 - it is now being used in media bridge mode as I have upgraded to a tri-band AX router where it was dropping out (mainly I think due to other routers close by)
Billion do seem to offer updates with appliances past their EOL.
Quite popular in Australia; and generally well made. Also expensive.
.
Even if a model is EOL (End Of Life) we will support where we can, however for older models where Billion HQ is no longer producing firmware we can only support to the same level that HQ supports us.
https://forum.billion.uk.com/viewtopic.php?t=11136
.
Weirdly, that randomly found thread started off with a user slagging Netgear...
.
Billion for whatever other issues they have, are one company that do supply firmware updates across there whole range of routers. So even for products already long EOL they can still add firmware updates.
Apple are also another company that do update all products that match a series.
For instance all the N wireless routers.. will have firmware updates right across the board. Not that they are necessarily a great idea.. 7.6.3 newly released update, (and the previous 7.6.2 which disappeared super fast so the series now jumps that version) have more bugs than the average insect zoo.
https://forums.whirlpool.net.au/archive/2055342
.
.
I like Billion.
Yep. They cranked out a model of their Nighthawk X6S for one of the warehouse club chains, the model R7960P. Apparently, a large number of these have a problem where they don't actually save their configuration properly, so when the power is removed from the device, it resets back to factory. Netgear's official response was "pay us XX for a support ticket, and we'll RMA it with another unit that may or may not have the same exact problem". And while I could take it back to the warehouse club to RMA it there, (this particular chain has a fairly generous returns policy!), it was easier for me to just buy something else that was DD-WRT compatible (a TP-Link AC1750, which has a 'beta' firmware on DDWRT that seems to work just fine.)
Linksys was crap since cisco bought them, although I will state that I have a stack of D-WRT'd WRT-54G/GL routers that work rather well, despite being very obsolete. (which was the primary driving force behind getting something that supported both 2.4 and 5Ghz radios and was a little more modern.)
Yes, Netgear are being naughty but what about all of these so-called "smart Home" devices? They too need updating from time to time.
What is worse, is the fact that a lot of them use a closed cloud provided by the manufacturer and, when the manufacturer decides to force an upgrade / move on / go bust / get taken over, then the, usually dumb, users are left with non-working systems and more land-fill.
We are sleep walking into a real problem for consumers and there must be stiff and enforceable legislation to stop this happening.
Can this be exploited from the WAN side or just the LAN? If it's only the LAN side then you'll need a malicious device on the network and that depends on how secure your stuff is. If you keep away from IoT junk and don't try to download a whole app store then you might be ok. Less diligent family members will increase the risk. If it can be exploited on the WAN side then let the router meet the bin ASAP.
Many years back I used Netgear switches at work - they were cheap and reliable and robust. I have since recommended their products to others as devices that work reliably. It unfortunately seems that the current management has decided that it is not worth spending money to keep a good reputation. With this move it becomes clear that they are now no better than "no name" Chinese firms.
Yes, and it's still one of the few reasonably-priced vendors I can install in USA businesses, because Netgear is one of the very few who perform Dept. of Labor mandated safety tests, getting the UL, ETL, TuV, or other government-approved 'Listed' marking. I'd love to use any number of other vendors but they just aren't compliant with the law. If D-Link can certify a $15 dumb switch, why can't $Highly-Reviewed-Vendor do the same for a $500 smart switch?
- http://jeramiah.net/2014/01/it-doesnt-matter-what-you-think-setting-up-the-linksys-ea6900/
*
There are REAL problems with Linksys routers. My experience with the EA7500 was exactly as described above.
*
In summary, the ONLY EASY way to configure was to set up a customer account on a Linksys server, so that the customer (and also Linksys) could manage the router from anywhere in the universe.
*
The alternative was a NIGHTMARE....see the link above for details of the nightmare.
*
My solution -- hit the factory reset button and give the EA7500 to the local charity shop.
+1 for any form of open source firmware on such devices. dd-wrt, OpenWRT / LEDE all work well.
At least the community cares about longer-term than the corporate view of "did I sell a unit to some sucker", "how can I minimise the ongoing support cost" along with "fuck the planet, sell them a new one next year when they realise that this one is crap"
The initial install of any open source firmware on such devices may take a bit of effort, but short, medium and long term, you are better off with ongoing maintained firmware and generally a far better feature set than the brain-dead firmware for Mr average with "Can I watch Netflix and porn"
The big challenge is how to take people that don't understand even the basics (like how to plug it in or update firmware) and explain why this is in their own interests.
What is interesting though is how those that have experienced the open source firmware are always happy with the result and will often share a bottle of wine or two whilst you configure it all up and explain the concepts to them and I know from experience that many remember some of the important bits from their informal training.
"sell them a new one next year when they realise that this one is crap"
I wonder how many times they can pull that before the average person wises up and chooses a different brand?
[don't hit reply, it's a rhetorical question with a likely very depressing answer]
I don't think you're wrong, I just wouldn't expect small home-grade devices over a decade old (which the couple samples I took from the list are) would be supportable. I don't like Netgear, as they tend to be cheap on features and quality, but this seems to be a bit too much to expect.
Been using a couple for seems like 10 years, First with Tomato then DD-WRT, LEDE and now OpenWRT.
Software has evolved over time, now use a locally compiled snapshot with custom (stripped down) config.
I know their limitations and how to side step issues in the upgrade but starting afresh I wouldn't start from here.
The best router is a separate computer that runs OpenBSD. OpenBSD has exceptionally good support and the included PF firewall is just perfect.
Also, the included unbound caching dns resolver is very nice.
All you need is a separate computer, motherboard and memory and small ssd. I use ssh to log into mine for configuration, update issues. No keyboard or monitor required for normal use. Doesn't have to be big but it is nice if it has built in video on the processor. AMD 3400G is overkill but an excellent choice, I didn't want an intel anymore (gag). Also, a 2 port network card is required obviously. The intel one works very well.
I used to use linksys wrt64gl as a router but is long since out of date. The successors don't compare to the openbsd setup for reliability and performance.
I like OpenBSD as much as anyone, but it requires a bit of skill and knowledge to set up and use. Patching is difficult. That's a very different market from Netgear home routers.
A separate PC with multiple NICs is not strictly necessary. I've done the "router on a stick" thing with multiple interfaces that share a single Ethernet port. I've even run an OpenBSD firewall as a VM. Okay, I wouldn't run a business through that, but again look at the audience. It's not a bad way to get started.
Alternatively: One of us should collate this information and create a --it list of vulnerable and unsupported devices, grouped by manufacturer. (and reviewers could then consult this list and say a few words about what the consumer can expect)
OTOH. I do not care if some 10BASE2 gear from the 90s no longer receives any security updates. Then again, OEMs ought to publish sufficient information so that the open source community can have a fighting chance of providing support should the need arise.
Does anyone actually have their router portals open on the wan side? Is this even a risk on a consumer level device? [They have] probably got way bigger issues on their network.
This can be exploited by a malicious web site sending javascript to a web browser. We could debate whether web browsers are a "big issue," but it's a common one.
and a week ago I'd just dug up my old WNDR3700v3 to use as an extra WAP to provide coverage for the north end of my rather long and linear house...
.... so as of a couple hours ago, its running OpenWrt 19.07.3
Speaking of annoying Netgear features, the same 'model' WNDR3700 could have any of 3 or 4 different chipsets depending on the version. v1, v2 were Atheros, V3 is Broadcom, V4 is a different Atheros, and V5 is a MediaTek. *yuck*.
Some of those devices are well over 10 years old, warranty is 1 or 2 years. No surprise they aren't being patched, technology has improved dramatically, if you still have one of those old devices install DD-WRT on it or buy a more modern device!
This particular bug is a beatup anyway, its only an issue if you turn on Remote Management in the Web GUI, which probably almost no one does!
For those looking for ways out of the traditional consumer grade modem game, these have recently become more widely available https://www.proscend.com/en/product/180-T.html
Given that they're apparently just a media converter, I'm not even sure if they have a CPU, let alone firmware. Certainly a huge reduction on attack and maintenance surfaces at any rate.
There's also this, but it's really just a conventional modem on a card so has some disadvantages https://www.draytek.com.au/products/adsl-vdsl-modem-routers/vigornic-132f/
Neither of these are any use in securing your Aunt Mabel of course, but for the more technically inclined of us they represent a viable alternative to ISP supplied tat.
Yes, some of these routers are very old, and if it is more than 4 or 5 years since they were being sold, I can understand not offering new patches. But as El Reg states in the story, some of these can be bought in the marketplace right now.
Remind me to not buy Netgear's gear.
It's about time that the laws were changed to 'force' companies to address critical flaws that can compromise peoples hardware... regardless of the so called 'support window'. Security is not something that can be tossed aside because it's 'inconvenient to profit margins'...
Or how about fines for each device that is found to have a critical security flaw.... and by each device... I mean every single one they sell. 20% of the retail cost per device if it's not patched within 30-60 days of them being notified of it.
Of course it will never happen... if you can't get the companies that make these devices to take security seriously... how the fuck can you ever expect your average muppet on the street too.
In 2014 I was working in the UK when I got a phone call from my ISP. It turns out my consumer wireless router was spewing spam.
(It was 2:00 am in the UK) I called, told my wife to unplug it. When I came back to the states for my break, I had purchased a Meraki which was already sitting there. I set it up and never looked back.
Is it overkill for the average home? Maybe.
However in times like this (COVID-19) where working from home is becoming the norm... the commercial grade products make more sense. (Especially since we do all sorts of things online these days)
You pay a subscription fee... but lets face it... you probably spend more money in a pub over a month.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
