Some popular Netgear routers contain a security flaw that is evidently easy to exploit and can make users vulnerable to a CSRF attack.
Breaking News
About this time I’m wondering if I’d even purchase a Netgear router.
You’d think that with all of the fuss recently about the insecure Internet of things, especially when it comes to routers, that any router maker would be on top of it and patching vulnerabilities as soon as they’re discovered.
Evidently not, as far as Netgear is concerned.
On Friday, a researcher with the online handle Acew0rm published a vulnerability that the U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University has rated as “critical,” giving it a score of 9.3 out of 10 using the Common Vulnerability Scoring System. Over the weekend, Netgear confirmed the vulnerability, saying that its R7000, R6400 and R8000 routers were possibly vulnerable. However, PCWorld has reported that another researcher has looked into the matter and has indicated that other Netgear Nighthawk routers are vulnerable, including models R7000, R6400 and R8000.
So why did Acew0rm publish the exploit? It’s a familiar story. It appears that he notified Netgear of the vulnerability in August but never heard back from them.
Again, you’d think that a company marketing routers would want to patch their routers sooner rather than later given recent IoT news, wouldn’t you? I ask you, is this any way to run a router company?
The vulnerability makes the router vulnerable to a Cross-Site Request Forgery (CSRF) attack, which allows an attacker to hijack a user’s browser when visiting a target website. Although the folks at CERT/CC are recommending that users remove the routers from service until Netgear issues a patch, Lucian Constantin has published some possible workarounds on PCWorld for users who aren’t able to do this.
Over at Computerworld, Michael Horowitz opines that those considering buying a Netgear router “can use this issue to gauge how the company deals with security.” No thanks. I’ve already made my evaluation. Netgear made the decision to sit on top of this vulnerability for four months, evidently doing nothing about it. They’re only acting on this now because of press reports and because an exploit has been made public, meaning the black hats are ready to pounce.
Meanwhile, we have to get a handle on the Internet of insecure things now. Not later.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Having the feeling of dodging a bullet, that neither my Netgear DSL Modem/Router nor my Netgear wifi router is one of the listed models. Then the other side of me wonders if I really did dodge a bullet or if the news just isn’t out yet. For better or worse, tomorrow is a new day with new opportunities for “stuff,” of course.
Closed source code is unfit for any purpose involving security, i.e. unfit for any purpose at all.
YO should know already …
in order to be popular, or in another words
so that people would purchase some products
you must be …
Apparently Netgear are now releasing patches to fix this problem. I imagine they are worried about a drop in sales, and are only now doing this as a PR exercise to stem that drop.