Netgear router being exploited! Say it ain't so!

[cyberjock]

Well, it is so! I know! Hard to believe!

https://threatpost.com/disclosed-netgear-router-vulnerability-under-attack/114960/

 

[Jailer]

Sooooo glad I switched to pfsense a while back.

 

[jgreco]

Big frickin whoop. Welcome to the joy that is the Internet of Things, appliances that lack any long term update strategy or effort on the manufacturer's part to provide post-sales updates.

In most cases these devices are sold with barely sufficient resources to run the firmware that ships, and then the team that designed the firmware moves on to another project, leaving no one at the wheel.

This isn't really anything new or interesting- look at your friends and family to see how old the average NAT/wifi gatewy they are using is and how many vulnerabilities it has.

 

[wreedps]

My 5 year old ASA is still protecting me pretty good. I sleep well at night. :)

We went to Palo Alto at work, cant decide if I am going to switch yet, probably not, the ASA is paid for.

 

[anodos]

Last time I was at a new site there was a netgear nat gateway in production. No one had the admin password and I was hesitant to just reset the device. Ran a pentest tool and it joyfully gave up the admin creds. Made transition to proper kit easy. So you should think of these vulns as valuable features.

 

[jgreco]

I don't. The real problem here is that whatever you think of as "proper kit" probably isn't; pretty much every vendor-provided device eventually hits EOL and finally end of support. The home devices just do it .... sooner.

The best long-term fix that I can see is switching to open source software on a generously sized hardware platform. For example, the Intel ISP1100 servers we purchased ~15 years ago are STILL perfectly capable of running pfSense very effectively, and should be good for the purpose for at least another five years. I can't think of ANY vendor that's had a router/gateway product out that was supported for two decades.

 

[anodos]

I don't. The real problem here is that whatever you think of as "proper kit" probably isn't; pretty much every vendor-provided device eventually hits EOL and finally end of support. The home devices just do it .... sooner.

The best long-term fix that I can see is switching to open source software on a generously sized hardware platform. For example, the Intel ISP1100 servers we purchased ~15 years ago are STILL perfectly capable of running pfSense very effectively, and should be good for the purpose for at least another five years. I can't think of ANY vendor that's had a router/gateway product out that was supported for two decades.

Meh, I was trying to make a tongue-in-cheek jab at netgear while posting from a mobile phone.

I run pfsense on a few 10+ year old firewall appliances, which the vendor EOLed about 7 years ago. They can only handle about 100 mbps traffic, but that's the most I can get out of ISPs around here anyway. I prefer to use separate wireless access points (currently favoring Ubiquiti UAP - honestly, for aesthetic reasons). Will they go EOL at some point? Sure, but the effect is less dramatic than having an internet-facing appliance that handles DNS / DHCP / other random crap going EOL.

 

[jgreco]

Well, I kinda got the jab (obNote: we're a Netgear Powershift Partner but you probably won't find me enthusiastically promoting it).

Our ISP1100's can't handle 1Gbps either but the point is that they're still supportable in software; this is a thread about vulnerabilities, after all. Absolutely we will continue to see faster technologies and all that obsoleting the hardware, but I'd rather kill hardware because it is too slow than because the firmware running it contains a critical vuln that'll never be patched.

I like the Ubiquiti wifi gear quite a bit. I'm contemplating ditching the UAP-PRO's here for some of that new hotness, the UAP-AC-PRO. Reportedly no longer "hotness" in the form of "burn your hand" as with the older UAP-AC's.