back to article Microsoft warns of serious vulnerabilities in Netgear's DGN2200v1 router

Netgear has patched serious security vulnerabilities in its DGN2200v1 network router, following the discovery of "very odd behaviour" by a Microsoft security research team - a somewhat understated way of saying that attackers can gain "complete control over the router." Unveiled by the company at the Consumer Electronics Show …

  1. redpawn Silver badge

    Ouch!

    How much code do they replicate from device to device, or do they write unique bad code for each one? I want network device code to be better than what I write as it is exposed to the world.

    1. Version 1.0 Silver badge

      Re: Ouch!

      It's a ten year old design so the manufacturer probably stopped worrying about the code about 8 years ago and it probably hasn't been updated since then. Bad code is profitable ... time to buy a new router.

    2. elsergiovolador Silver badge

      Re: Ouch!

      Given how much developers are paid, why would they care?

  2. elregidente

    I've had a dim view of Netgear since about 2008.

    They may have improved since then.

    I bought one of their routers. The specs were impressive, reviews found the performance was impressive.

    Once I had the thing, I found two issues.

    Firstly, and this unlike the second issue is rather nebulous, I've lot of experience with large bodies of unmaintainable C code and the UI to configure the device *totally* gave me that vibe. The options, the ways thing were arranged, interacted - it did not feel good.

    Secondly, and this to me was the give-away, upgrading the firmware wiped all the settings, *and it was not possible to load saved settings from a previous version of the firmware*.

    Settings should of course be saved in something like XML or what-have-you, and you can then load them, parse them, and get as much sane information from them as you can. Not being able to do so means settings were being saved a binary blob, which combined with my bad feelings about the whole thing in the first place. It also meant upgrading the firmware then involved 15 minutes of configuration work (there were a lot of options).

    Over the years since then I've noticed quite a few stories of the most basic security blunders, although in fairness you can say that pretty much about all router vendors.

    1. Kevin McMurtrie Silver badge

      Re: I've had a dim view of Netgear since about 2008.

      Malformed self-signed certificates, unsecured RMIs, telnet backdoors, trivial DoS by hitting high resource URLs, and a customer support team that will "pass your information on" and never call back. I threw out all of my managed Netgear equipment around 2010 because it was clear that Netgear should not be making network gear. Yeah, the products feel like they're decades of old code duct-taped together and maintained by short-term contractors.

    2. Annihilator Silver badge

      Re: I've had a dim view of Netgear since about 2008.

      Similar bad experiences with Netgear, but with one exception - their unmanaged switches aka, the little blue metal boxes. I never think twice about lobbing one into the mix and probably have 3 dotted around the house currently. In 20 years I've had one fail - and technically it was the PSU/wall-wart that gave up. In fact they're so ubiquitous, it took me ages to realise what had failed.

    3. Jay 2

      Re: I've had a dim view of Netgear since about 2008.

      I too have given Netgear a miss for quite a while now. They used to make some OK kit, but I had two (different model) ADSL routers in quick succession with the same problem of WiFi stopping working... and then magically springing into life when a wired device switched on.

      Their support wasn't great. I ended up talking to someone who said it was a known bug and I should apply a certain version of firmware. The catch was that was for a US device and I had a UK device. When I pointed that out his tune changed and it was as if the previous exchange didn't happen. The router went back for a refund and I ended up with a Linksys. That sucked too, but at least the WiFi worked.

    4. Alpine_Hermit

      Re: I've had a dim view of Netgear since about 2008.

      "in fairness you can say that pretty much about all router vendors"

      I tend to agree, but over the past 3-4 years I've been using Fritz equipment at home and I'm quite impressed. Not perfect, but settings are in XML at least and you don't lose them when you upgrade firmware, and there are typically one or two firmware updates a year. Old kit is also well supported with updates.

  3. Anonymous Coward
    Anonymous Coward

    The consumer brand networking gear is hot garbage

    D-Link, Netgear, it doesn't matter they are all unfit for purpose. Home routers are like home AV software. Sad thing is that the small office crap is also terrible, but also paradoxically 4x as expensive.

    The whole market segment is ripe for a pitch invasion. Its gotten bad enough that people have started building their own out of a SFF PC that has more than one network port. Most will run circles around the consumer gear to, and can auto update themselves to boot.

    1. Chewi

      Re: The consumer brand networking gear is hot garbage

      Their higher end stuff is no better. I'm no security researcher but even I figured out how to get root access through their telnet interface on the SRX5308 a few years back. It was enough to allow me to flash OpenWRT onto it, despite not being supported by the distro at all, though I never did get the weird network hardware working properly. I was going to report the issue but I realised they'd already fixed it in a subsequent firmware update, probably only by accident though, as they'd changed much of the software stack.

  4. Gene Cash Silver badge

    Netgear is like IE

    It's good enough to download OpenWRT, like IE is good enough to download Chrome.

    1. EnviableOne Silver badge

      Re: Netgear is like IE

      helps that the modems are quite good, or at least they used to be ...

      the Netgear ADSL modems would sync on a wet piece of string, which was great if your line is piss poor and you live in the sticks...

  5. Henry Wertz 1 Gold badge

    yeah

    yeah I saw kit like this a few years back. like (url)&auth=foo and it turns out you could just skip the login screen, use direct urls, chop off the auth part, no auth required. Nice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021