CHOICE membership

Security Warning From Netgear. 23.06.2020

A security warning I received today from Netgear regarding vulnerabilities in some of their products.

View Online
Security Advisory Notification

D6300
Hi XXXX,

We have become aware of vulnerabilities involving certain NETGEAR products and have issued a security advisory. Our records indicate that you may own a NETGEAR product that is one of the impacted products, specifically the model set forth above.

We have released hotfixes addressing some of the vulnerabilities for certain impacted models and continue to work on hotfixes for the remaining vulnerabilities and models, which we will release on a rolling basis as they become available. We strongly recommend that you download the latest firmware containing the hotfixes as instructed in the security advisory. We plan to release firmware updates that fix all vulnerabilities for all affected products that are within the security support period.
Until a hotfix or firmware fix is available for your product, we strongly recommend turning off Remote Management in your product Web GUI (not to be confused with Remote Management in the Nighthawk app).
Turning off Remote Management in your product Web GUI significantly reduces your risk of exposure to these vulnerabilities.

Please keep in mind that Remote Management in your product Web GUI is turned off by default, so if you never enabled Remote Management in your product Web GUI, you do not need to take any action to disable Remote Management in your product Web GUI.

Please note that the Remote Management feature in your product Web GUI is different from the Remote Management feature in the Nighthawk app. You do not need to turn off Remote Management in the Nighthawk app and doing so will not serve as a workaround for these vulnerabilities.
If you have Remote Management in your product Web GUI turned on, please turn it off immediately.
How to turn off Remote Management in your product Web GUI:

  1. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter .
  2. Enter your admin user name and password and click OK . If you never changed your user name and password after setting up your router, the user name is admin and the password is password .
  3. Once you have logged in successfully, select the ADVANCED tab on the browser screen.
  4. Click on Advanced Setup
  5. Click on Remote Management .
    Note: on some products you may need to click on Web Services Management instead
  6. If the check box for Turn Remote Management On is checked, click on it so that the box is unchecked. Then click Apply to save your changes.
  7. If the check box for Turn Remote Management On is unchecked, then click Cancel to leave the page as Remote Management is already turned off.
    Best Practices
    As a reminder NETGEAR recommends following best practices to secure your home network by using a strong & unique WiFi password, and not sharing your WiFi password. Use the Nighthawk App to monitor devices connected to your WiFi network, and block unknown devices; check that your product has the latest firmware and update it with a single click.
    Stay Informed
    This community article will be updated as new information becomes available.
    ![NETGEAR\ 147x147](file:///C:/Users/peter/AppData/Local/Temp/msohtmlclip1/01/clip_image001.png)
    ook.
3 Likes

Bit of a lack of information but this seems like a whole heap of security problems e.g. CVE-2020-14426 … CVE-2020-14442 (a cool 17 vulnerabilities), summarised as

  • disclosure of administrative credentials
  • cross site request forgery
  • command injection by an unauthenticated attacker
  • command injection by an authenticated user

In other words, a security mess.

In the meantime, they are telling you to turn off Remote Management - but really you should in general always have Remote Management off anyway (and they do note that that is their default).

<rant>
What really annoys me is that they are only going to fix this for those products that are “within the security support period”.

So for older products, they are just going to leave them old and broken, sitting on the internet, a risk to both the person who owns the older product and a risk to internet users as a whole, since every old, broken device can be used as a staging point for attacks somewhere else.

This is both irresponsible and wasteful on the part of the manufacturer (since the owner of such a product should really throw it out - if indeed the owner ever finds out about the problem). The manufacturer has a clear financial incentive not to support older products - but the opposite would seem to be in the interests of society.
</rant>

4 Likes

Interestingly I haven’t received this notice. So thank for posting it.

I believe this only applies if you are using your products as a modem.

If you are on the NBN and using one of NBN Co.'s modem boxes, then this not relevant.

I’m sure that Netgear could have organised a notification to be sent out to anyone who connects to see if there is a firmware update. (They haven’t done this.)

As a side note, I have had my Nighthawk D6300 for several years, and there hasn’t been one firmware update for it that I can recall. Ever. In comparison our D7000 router has had multiple firmware updates. Never understood that, and I don’t think it was because the D6300 was perfect as it was. Another oddity with it was that the updated Netgear app for the smartphone wouldn’t work with the D6300, only with the D7000, so I have to have both the new and the old app installed.

2 Likes

Sadly no, remote management also applies to Routers behind the NBN Modem and may allow a remote user to gain control and use the router. A bit harder to do but if the owner is using the default user name and password to access the router then it is open to this abuse.

For your D6300 Router the most current is
https://kb.netgear.com/000037347/D6300-Firmware-Version-1-0-0-102-All-Regions-Except-NA-and-Germany

There have been a number of them and these ones https://kb.netgear.com/23697/D6300-Firmware-Version-1-0-0-30 & https://kb.netgear.com/29737/D6300-Firmware-Version-1-0-0-96-All-Regions-Except-NA-Germany shows that between the first and the newest release there have been a few going by the release number 30 vs 96 vs 102

4 Likes

Thank you.

I had been relying on the Netgear interface’s Router Update option. This obviously doesn’t work with the D7000 updates, as mine was on v90…

I have updated v102. :slight_smile:

As for remote management that was all grey-ed out on v90, but is now accessible on v102. It appears that I had that already turned off.

Appreciate your assistance once again.

2 Likes

This is pretty much standard advice for any web-facing product. If you do not have an absolute definite need to access it from outside your home it should not be visible - let alone accessible - on the Internet.

If you do have an absolute compelling case to have remote access to your router/PC/light bulbs, put them behind a VPN. You may also want to put a filter on your router limiting which IP addresses can even see the open port/s.

6 Likes

I have not used our Netgear modem/router since we had the NBN connected a few years ago.

I suspect that I received the email as I registered it with Netgear and they also send me emails regarding new products.

3 Likes

I left it in place, just turning the modem off. It works well functioning as the NBN router.

4 Likes

And while the following advice is only security through obscurity, if you do make a device accessible on the internet then don’t use the default port number. That way, many casual intruders who are just scanning all IP addresses looking for open ports will most likely miss your device. That will cut down on the amount of crap that you see and perhaps make it more likely that you will notice a more serious attempt to hack in.

For remote management, the default port may well be port 80. Port 80 should be avoided, as should port 8000 and port 8080.

2 Likes

Shodan will still find it.

2 Likes

It was more to defeat casual intruders, who only check a very few common and well-known ports. If someone is going to scan 47,000 ports on each IP address then, yes, they will find the open ports but they will spend a lot lot lot more effort doing it - and with a greater likelihood of detection, both on the original scan and on the subsequent more detailed attempt to access.

2 Likes