Skip to main content
  1. Home
  2. Computing
  3. News

Your Netgear router may expose your password if you don’t update its firmware

Netgear acknowledges router vulnerability, urges firmware updates

By

Netgear Nighthawk AC2600 router
Bill Roberson/Digital Trends
The security of internet infrastructure devices like routers and wireless access points, along with all kinds of devices that connect through them, has been of particular concern lately. Recent distributed denial of service (DDoS) attacks have originated in Internet of Things (IoT) devices, for example, and a slowdown in such issues doesn’t seem imminent.

Although Netgear recently released firmware updates to resolve a malicious link exploit in its line of internet routers, yet another issue remains to be tackled. This time around, it’s a vulnerability that can expose the administrator password in certain Netgear routers, as Tom’s Hardware reports.

According to security firm Trustwave, Netgear routers have actually suffered from a couple of security vulnerabilities since April 2016. Although Netgear was contacted by Trustwave on a number of occasions during the ensuing nine months, Netgear didn’t provide a direct response although it did eventually issue a security bulletin covering the issue.

Related

As researcher Simon Kenin indicated on the Trustwave blog Monday, the vulnerability is simple enough that even someone with limited programming skills can exploit it. Kenin describes the bugs as such: “After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is   a totally new bug that I haven’t seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models.”

The two bugs require either physical access to a router or remote access to be turned on. According to Trustwave’s analysis, at least 10,000, and likely hundreds of thousands or even millions of devices, are potentially vulnerable. For Netgear’s part, the company did issue an advisory in June, along with a workaround for the issue, and has since released firmware updates to resolve it.

Netgear subsequently reached out to us with a statement on the issue. Here it is in its entirety:

“NETGEAR is aware of the vulnerability (CVE-2017-5521), that has been recently publicized by TrustWave. This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability from the time they first contacted us.  After being notified of the vulnerability in April, we released the first batch of fixes in June and prioritized the products based on the greatest number of customers or shipments.  Since that time we have continued to release fixes for the remaining products, most of which are older obsolete products with a smaller install base, although it is important to note that we notified users of workarounds for all affected products contemporaneously with the first batch of fixes in June, so no one would be vulnerable pending the remaining fixes.  NETGEAR has published a knowledge base article from our support page, which lists the affected routers and the available firmware fixes.

Firmware fixes are currently available for the majority of the affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for the model and visit the firmware release page for further instructions. For devices that are still pending final firmware updates, please continue employing the advised work around, which for most users requires no action to be taken.

Please note that this vulnerability occurs only if an attacker has access to the internal network, which requires close physical proximity plus WiFi password access, or when remote management is enabled on the router. Our routers are shipped from the factory with remote management turned off by default and can only be turned on through the advanced settings, so unless you have affirmatively enabled remote management on your router, no further action is required.

NETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitor for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.”

The bottom line, as usual, remains the same: Ensure that your router is fully updated with the latest firmware and that you have turned off all unnecessary features — such as remote access capability — that could open your network up for attack. Conducting research on which internet-connected devices are considered secure should also be added to the list of specifications when making a purchase.

Story originally published in January 2017. Updated on 02-01-2017 by Mark Coppock: Added Netgear statement.

Editors’ Recommendations

Topics
Mark Coppock
Mark Coppock
Computing Writer
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
How to update your router firmware
Netgear's Nighthawk RAXE500 tri-band router.

Like our other devices, routers have software that occasionally needs updates as well to offer improved security and compatibility, and even provide new features for users. To do this, the router needs a firmware update, and that requires a little work. If it’s been several years since you’ve checked for router updates or you heard about a recent update/fix for your router line, it’s time to take action. Here’s what you need to do.
Tip: Check for app updates and automated downloads
How to Update Router Firmware with the Nighthawk App | NETGEAR

Newer routers often make things easier by connecting to the cloud for important updates and automatically downloading upgrades for firmware. If you have an app to manage your router, open it and look for an update option.

Read more
What’ll happen to your WhatsApp account if you don’t agree to new privacy policy
WhatsApp

WhatsApp recently announced it would be changing its privacy policy, in a move that has many users worried about how much of their data will be shared with WhatsApp's parent company, Facebook. Now, the service has revealed what will happen to the accounts of users who don't agree to the new policy by the May 15 deadline.

TechCrunch contacted WhatsApp for more details on what would happen to users' accounts if they didn't agree to the new privacy policy. It reports that WhatsApp will "slowly ask" its users to agree to the new privacy changes, warning that they need to do so to continue having full access to the app's features. Users who decline to accept the new policy will be able to continue using the app for a few weeks, but only in a limited way. “For a short time, these users will be able to receive calls and notifications, but will not be able to read or send messages from the app,” the company told TechCrunch.

Read more
You’ve had Apple Silicon in your Mac for years, and it’s called the T2 chip
Apple T2 iMac Chip

The Intel era of Mac computers is coming to an end, and for good reason. In the past five years, MacBooks and iMacs have had a harder time standing out from the competition than Apple products normally do. After all, if Macs use all of the same components that other laptops do, what sets them apart? Apple has its own software in MacOS, yes, but from a hardware perspective, there are limitations.

That's where the T2 chip came into play. From the Touch Bar on the MacBook Pro to improved webcams and speakers on the latest iMac, the T2 chip has been the magic behind the Mac for years. It was the Apple Silicon before Apple Silicon existed -- and it just might give us a preview of the future of the Mac.
The humble beginnings of Apple Silicon

Read more