The Netgear firmware you want to end up with If so, then this new flaw may be the result of something falling between the cracks in the differing update models when the Circle software was ported to Netgear devices. It could be that the firmware-update connections on its since-discontinued Circle with Disney hardware devices were encrypted, removing the necessity of encrypting the update files as well. GRIMM showed that it wasn't hard to sneak malicious code into a Circle update and from there completely seize control of a router, which in turn would grant the attacker complete control of your home (or small office) internet traffic. Its update file is just a compressed database without any kind of internal protections. Netgear protects against this by encrypting its firmware update files and digitally signing them, making it pretty difficult for an attacker to read, alter or install altered firmware. "The update process of the Circle Parental Control Service on various Netgear routers allows remote attackers with network access to gain RCE as root via a Man-in-the-Middle (MitM) attack," Nichols wrote on the GRIMM blog.īecause Netgear's firmware updates are downloaded over plain old HTTP and are not encrypted, Nichols explained, they could in theory be intercepted, altered, and then passed along in poisoned form to the routers - a classic man-in-the-middle attack. They noticed that there was a Circle update daemon, or mini-program, called "circled" (presumably pronounced "circle-dee") on older Netgear Nighthawk routers.Īfter some probing, they found that the Circle update daemon ran as root, was enabled by default and could still be exploited even if it was disabled. This flaw, catalogued as CVE-2021-40847, was discovered by GRIMM researchers. Your router's security stinks: Here's how to fix it.You don't want a router that never receives firmware updates. All of those devices get regular security updates to fix flaws and are the better for it. The same principle goes for Windows PCs, Macs, iPhones and Android phones. At least we know when something goes wrong with Netgear routers and how to fix it. The only reason you don't hear about many security flaws with some other major router makers is because they don't tell you about the flaws. So we want to reiterate that Netgear's consistent policy of finding, patching and publicizing its security flaws is a Good Thing, despite the resulting negative headlines. We've run a lot of Netgear router security alerts in the past few years, with at least two in 2020. A side note about Netgear security patches In other words, you've got a problem that came with software you probably didn't ask for and that may have been introduced to your device via a firmware update after you bought it. "While it doesn’t fix the underlying issue, simply disabling the vulnerable code when Circle is not in use would have prevented exploitation on most devices." "The Circle update daemon that contains the vulnerability is enabled to run by default, even if you haven't configured your router to use the parental control features," explained Adam Nichols of the D.C.-area security firm GRIMM in a blog post. ( Bleeping Computer earlier reported this story.) Here's the catch: If you have one of the affected routers, the vulnerable Circle software is on your device regardless of whether you ever ponied up the $4.99 monthly charge for the Circle feature. The Orbis and newer Wi-Fi 6 Nighthawks got parental-control software built in-house by Netgear earlier this year, while the Circle service was discontinued for older Nighthawk models in late 2020. The problem here stems from the Disney-designed Circle parental-control feature, which was rolled out to Netgear Nighthawk and Orbi mesh routers, some of them already in customers' homes, as an optional add-on feature in 2017. Follow the web administrative-interface instructions in the paragraph above, and then click the check-for-update button instead of uploading a file from your PC or Mac. However, for most of these routers, it's going to be just as easy to download the firmware update directly to the router. You can upload the file to the router from there. Then use your favorite web browser to access your router's administrative interface (it's most likely at ), click the Advanced tab, select Administration and click Router Update.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |