Associated CVE IDs: None
NETGEAR is aware of a password recovery and file access security vulnerability on some routers and modem routers.
NETGEAR strongly recommends that you download the latest firmware as soon as possible. Firmware fixes are currently available for the following affected products:
- D8500 running firmware versions 1.0.3.27 and earlier
- DGN2200v4 running firmware versions 1.0.0.82 and earlier
- R6300v2 running firmware versions 1.0.4.06 and earlier
- R6400 running firmware versions 1.0.1.20 and earlier
- R6400v2 running firmware versions 1.0.2.18 and earlier
- R6700 running firmware versions 1.0.1.22 and earlier
- R6900 running firmware versions 1.0.1.20 and earlier
- R7000 running firmware versions 1.0.7.10 and earlier
- R7000P running firmware versions 1.0.0.58 and earlier
- R7100LG running firmware versions 1.0.0.28 and earlier
- R7300DST running firmware versions 1.0.0.52 and earlier
- R7900 running firmware versions 1.0.1.12 and earlier
- R8000 running firmware versions 1.0.3.46 and earlier
- R8300 running firmware versions 1.0.2.86 and earlier
- R8500 running firmware versions 1.0.2.86 and earlier
- WNDR3400v3 running firmware versions 1.0.1.8 and earlier
- WNDR4500v2 running firmware versions 1.0.0.62 and earlier
To download the latest firmware for your NETGEAR product:
- Visit NETGEAR Support.
- Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
- Click Downloads.
- Under Current Versions, select the download whose title begins with Firmware Version.
- Click Release Notes.
- Follow the instructions in the firmware release notes to download and install the new firmware.
Disclaimer
The password recovery and file access security vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this advisory.
Acknowledgements
Thanks to Martin Rakhmanov of Trustwave for reporting this security vulnerability.
Common Vulnerability Scoring System Vector
CVSS v3 Rating: High
CVSS v3 Score: 8.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Contact
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the Internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit http://www.netgear.com/about/security/.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
Revision History
2017-08-18: Published advisory
2017-08-31: Changed latest affected firmware version for the following models:
- D8500
- DGN2200v4
- R6400
- R6400v2
- R7000
- R7100LG
- R8300
- R8500
All versions listed now are earlier than the versions that were listed previously.
2017-09-29
Removed incorrectly listed models, added CVE ID information, added CVSS score details, updated reporting email addresses.
Last Updated:09/29/2017
|
Article ID: 000045848