This security advisory addresses the following CVE vulnerabilities: CVE-2016-10174, CVE-2016-10175, and CVE-2016-10176.
NETGEAR is aware of the security vulnerability that can in very limited instances allow remote access to a router or modem router, including password recovery and command execution. This vulnerability occurs when an attacker has access to the internal network or when a user has turned on remote management on the router or modem router.
Remote management is turned off by default, so a user must have affirmatively turned on remote management through advanced settings for the router or modem router to be vulnerable in this manner.
This vulnerability affects the following products:
- D6100
- D7000
- D7800
- JNR1010v2
- JNR3300
- JWNR2010v5
- R2000
- R6100
- R6220
- R7500
- R7500v2
- WNDR3700v4
- WNDR3800
- WNDR4300
- WNDR4300v2
- WNDR4500v3
- WNDR4700
- WNR1000v2
- WNR1000v4
- WNR2000v3
- WNR2000v4
- WNR2000v5
- WNR2020
- WNR2050
- WNR2200
- WNR2500
- WNR614
- WNR618
NETGEAR has released production firmware updates that fix the remote access and command execution vulnerability for all affected products. NETGEAR strongly recommends that all users update to the latest firmware as soon as it is available, even if you already downloaded a beta firmware fix.
To download the latest firmware for your NETGEAR product:
- Visit the NETGEAR Download Center.
- Under Search for, select the check box next to Firmware/Software.
- Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
If you do not see a drop-down menu, make sure that you entered your model number correctly, or use the product drilldown to find your model.
- Click Release Notes under the most recent firmware version, which is the one closest to the top of the list.
Note: Make sure that you are viewing release notes for a firmware version and not a software utility or an app. The title of the release notes page always begins with the words “Firmware Version.”
- Follow the instructions in the release notes to download and install the new firmware.
The potential for remote access and command execution remains if you do not turn off remote management or update your firmware. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.
Contact
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit http://www.netgear.com/about/security/.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
Revision History
2016-12-22: Published advisory
2016-12-23:
- Added beta firmware for WNR2000v3, WNR2000v4, and WNR2000v5
- Added PSV number to title
- Clarified vulnerability description
2017-1-16: Updated contact information
2017-1-26:
- Added production firmware links for WNR2000v3, WNR2000v4, and WNR2000v5
- Removed beta firmware links for WNR2000v3, WNR2000v4, and WNR2000v5
2017-2-3: Added CVE numbers
2017-6-9:
- Added 26 affected models
- Added 2 fixed models: D7000, R7500v2
- Added download instructions instead of links.
- Simplified and clarified wording
- Updated contact information
2017-12-5:
- Removed a model that is not affected: D6200
- Added a statement that all models are fixed
- Removed instructions for users whose models are not fixed yet
Last Updated:12/05/2017
|
Article ID: 000036549