Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.
The vuln was revealed publicly in June by Trend Micro's Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind the scenes to take it seriously.
Keen-eyed Reg readers, however, noticed that Netgear quietly declared 45 of the affected products as "outside the security support period" – meaning those items won't be updated to protect them against the vuln.
America's Carnegie-Mellon University summarised the vuln in a note from its Software Engineering Institute: "Multiple Netgear devices contain a stack buffer overflow in the httpd web server's handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges."
[...] With today's revelation that 45 largely consumer and SME-grade items will never be patched, Netgear faces questions over its commitment to older product lines. Such questions have begun to be addressed in Britain by calls from government agencies for new laws forcing manufacturers to reveal devices' design lifespans at the point of purchase.
Brian Gorenc, Trend Micro's senior director of vulnerability research and head of ZDI, told The Register in a statement: "Consumers should always ensure their devices are still supported by their manufacturers. They should also check the available support before purchasing a device. Unfortunately, there are too many examples of vendors abandoning devices that are still in wide use – sometimes even when they are still available to purchase. We hope vendors clearly communicate their support and lifecycle policies so that consumers can make educated choices."
(Score: 3, Informative) by Runaway1956 on Friday July 31 2020, @09:23PM (3 children)
Should have provided a link above.
https://www.myopenrouter.com/ [myopenrouter.com]
This site gets support from Netgear, to some degree. Pretty much every question you could ask about opensource firmware and Netgear has been answered here.
(Score: 5, Informative) by MostCynical on Friday July 31 2020, @09:53PM
for OpenWRT supported netgear devices, check here [openwrt.org]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by JoeMerchant on Saturday August 01 2020, @03:07AM (1 child)
I've been a Netgear customer since forever because their routers are re-flashable with OpenWRT - however, in practice, I have always chosen to use the Netgear firmware instead.
Thanks to a lucky lightning strike, I upgraded my router a month ago, so the new one isn't on that list. However, I think the 2 generations back standby is... What's shocking is how much better the new routers perform than the outdated ones - you quickly start to take for granted things like: it works across the whole house and yard, and can stream video to three clients simultaneously.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Saturday August 01 2020, @01:20PM
It's all about the MIMO. It's only going to get better as they figure out more ways to fit more antennas in a smaller package.