A temporary fix for CERT VU#582384 vulnerability for various Netgear routers (including R6400, R7000, R8000 and similar)

Like many people, I was affected by the recently disclosed CERT VU#582384 that affects Netgear R7000 (“Nighthawk”) and R6400 routers. As Netgear haven’t bothered to publish a quick patch for this gaping hole in their devices, I looked for a simple fix myself. This posts discusses the simple one-step process and the details. Depending on your tech skills, this will take you anywhere between five seconds and one minute.

Netgear R7000

Netgear R7000


Update 13/12/2016: months after first having been notified of this problems, and four days after wide-spread media attention, Netgear has finally released beta firmwares to fix this vulnerability for the R6400, R7000, and R8000. More info here: http://kb.netgear.com/000036386/CVE-2016-582384.

Only continue reading if there is no beta firmware available for your device

This fix for the CERT VU#582384 vulnerability actually employs the vulnerability itself to forcefully stop the web server that is at the core of the vulnerability. This unfortunately means that (1) this fix will only work until you reboot (i.e., switch off/on) your router, and (2) you won’t be able to access your router’s settings panel via your web browser. On the plus side: none of the instructions below will make any permanent changes to your router configuration. Hopefully Netgear will soon come with a real fix for this issue.

tl;dr

  1. (optional) verify that your router is affected by going to this URL:
    http://[router-address]/cgi-bin/;uname$IFS-a
    If that shows you anything but an error (or an empty page): you’re affected. If you’re unsure: please read the detailed explanation below.
  2. Point your browser to the following URL to terminate the web server process (which facilitates the vulnerability) on your router:
    http://[router-address]/cgi-bin/;killall$IFS'httpd'
  3. (optional) verify that the URL in step (1) is no longer accessible

Did this fix save you from being hacked? Please consider buying me a coffee, and do say hi on Twitter.

Detailed explanation

Wherever I write [router-address] in an URL, you should replace that with the actual address of your router. For many people the magic word routerlogin.net will work. If that doesn’t work: it’s typically that’s something like 192.168.0.1. If you’re on Mac or Linux, you can find this out by typing ‘route -n’ in a console (terminal) window. That will show you a table ‐ look for the value in the Gateway column that belongs to Destination 0.0.0.0 like in the picture below:

Run 'ifconfig' to find out the IP address of your Netgear router

Run ‘ifconfig’ to find out the IP address of your Netgear router

Step 1 (optional): verify you’re vulnerable

Open your browser and visit the following address:

http://[router-address]/cgi-bin/;uname$IFS-a
(For most people, this URL will work: http://www.routerlogin.net/cgi-bin/;uname$IFS-a)
 

If a web page appears (which is not an error): you’re vulnerable. In my case, the page contains a text that starts with: Linux R7000 2.6.36.4brcmarm+ (...).

Step 2: terminate the web server process on your router

This is when you actually need to exploit the vulnerability in the router to simply terminate the web server process (which facilitates the remote vulnerability) on the router. Point your browser to the following URL:

http://[router-address]/cgi-bin/;killall$IFS'httpd'
(For most people, this URL will work: http://www.routerlogin.net/cgi-bin/;killall$IFS’httpd’)
 
 

This will very likely give you a ‘web server not available’ error, but it will have stopped (killed) the web server process. This means that it is now impossible to exploit the vulnerability. Note that it is now also impossible to use the web configuration interface of your router (until you next turn it off and on again). You can double-check whether you’re vulnerable by checking the URL in step 1.

You are now safe from the CERT VU#582384 vulnerability. But don’t forget: after turning your router off and on again (or a power cut!), the web server process will start again, and you will be vulnerable again!

Did this fix help you?

Did this fix save you from being hacked? Please consider buying me a coffee, and do say hi on Twitter.

Scan to Donate Bitcoin
Like this? Donate Bitcoin to at:
Bitcoin 14XaYybLkuB89cqnYR1Eg3bFqukpXZy4hv
Donate

List of affected devices

The list of affected devices seems to be growing. These are the devices I’ve heard about:

  • R6250 (AC1600): confirmed by Netgear [3]
  • R6400 (AC1750): confirmed by Netgear [3]
  • R6700 Nighthawk (AC1750): confirmed by Netgear [3]
  • R7000 Nighthawk (AC1900, AC2300): confirmed (by myself and Netgear [3])
  • R7100LG Nighthawk: confirmed by Netgear [3])
  • R7500 Nighthawk X4 (AC2350): confirmed [2] and Netgear [3]
  • R7800 Nighthawk X4S(AC2600): confirmed [2], not by Netgear [3]
  • R7900 Nighthawk: confirmed by Netgear [3]
  • R8000 Nighthawk (AC3200): confirmed by Netgear [3]
  • R8500 Nighthawk X8 (AC5300): confirmed [2], not by Netgear [3]
  • R9000 Nighthawk X10 (AD7200): confirmed [2], not by Netgear [3]

It appears that most custom firmwares (e.g. AdvancedTomato) are not vulnerable. If you want to be sure: just check step 1! If you have more information, please let me know in the comments below. I’ve had at least one report of a user who experienced that the French version of his firmware was unaffected (R7000, v1.0.7.2_1.1.93), but the English version was in fact vulnerable.

References

[1] Cernegie Mellon University CERT Vulnerability Notes Database: VU #582384
[2] Kalypto (In)Security: NetGear Vulnerability Expanded
[3] Netgear: Security Advisory for VU 582384 (last version seen: 13/12/2016 12:00 noon GMT)

(I’ve closed the comments now Netgear have released a (beta) firmware to resolve this vulnerability. If you really need to contact me, come and find me on Twitter)

92 thoughts on “A temporary fix for CERT VU#582384 vulnerability for various Netgear routers (including R6400, R7000, R8000 and similar)

    1. Nikolas

      Hey, when i click on the link on step 1 i get the following: “No such file or directory” what does this mean? i get the same when i click on link number 2.

  1. Mick

    Hey Bas, a clever and simple temporary fix, this took me less than a minute to execute. Hopefully NetGear will soon come with a definitive fix. Thanks so much!

    PS. I was really shocked to see the command “http://www.routerlogin.net/cgi-bin/;uname$IFS-a” work!

  2. Pingback: US-CERT: Stop using your remotely exploitable Netgear routers | | Security Guards Jobs UK

  3. Pingback: US-CERT: Stop using your remotely exploitable Netgear routers | OSINT

  4. Henk

    Bas, you mentioned “error” or “empty page”
    What if it show a blank page with the following line:
    Linux R7000 2.6.36.4brcmarm+ #30 SMP PREEMPT ….

    Just asking because I’m a complete noob when it comes to things like this.

    Thanks for your time,

    Henk

    1. Bas van Schaik Post author

      Henk: that means your router is indeed vulnerable, and you should proceed to step 2.

  5. Ph3r0

    i have a R6400 and “http://www.routerlogin.net/cgi-bin/;uname$IFS-a” shows an error, i guess im lucky

  6. brian

    Presumably DD-WRT or Tomato variants don’t have this vulnerability (just tested on Advanced Tomato sans issues)

  7. Pingback: anyone have a netgear router? - Pelican Parts Technical BBS

  8. Pingback: Critical flaw opens Netgear routers to hijacking – sec.uno

  9. Pingback: Unpatched Flaw Exposes Netgear Routers to Hacking (SecurityWeek) – sec.uno

  10. AnonymousBosch37

    Do we have any idea on the range of affected router versions in the R7000 line? I have a family member with a router that hasn’t been patched in .. well, ever, and when I had them try, they got a 404 Not Found.

    1. Bas van Schaik Post author

      AnonymousBosch37: no, I was only able to test it with my own R7000 model. Some people suggest that there is a firmware version that’s not affected. What’s yours?

  11. Pingback: Severe security flaws discovered in some Netgear router models, not fixed yet! | The Tech Portal

  12. Pingback: Severe security flaws discovered in some Netgear router models, not fixed yet! - Tech News

  13. Pingback: Netgear : Critical flaw on three routers - TechOnePro

  14. Pingback: Severe security flaws discovered in some Netgear router models, not fixed yet! - STARTUP LADS

  15. Adriaan

    The verification returns a “No such file or directory” -page. Not infected i suppose? Using a R7000 Nighthawk, no firmware updates installed after purchase.

    1. Bas van Schaik Post author

      Hi Adriaan – Can you please let me know which firmwware version you’re using? Thanks.

      1. Noel

        Dear Bas,

        Thanks for your article. My router probably isn’t vulnerable either? ‘The webpage cannot be found’ with my 7800 and firmware V1.0.2.04

      2. Holmes

        Same router/firmware and same result.. R7500
        “Router Firmware Version
        V1.0.0.94”
        All commands tried return: “No such file or directory”

  16. firedog

    Hey,

    i have a Nighthawk R7000 with firmware version V1.0.5.64_1.1.88.
    when i invoke the command I get a textpage that starts with:

    used
    {
    mustbeHEX = false;

    Does it mean my router is infected ?
    If not, maybe a solution could exist in downgrading the firmware version ?

    greetz

    Firedog

    1. Bas van Schaik Post author

      Yes, that means you’re vulnerable. However, that doesn’t mean that anyone actually abused the vulnerability in your router. You should definitely follow the steps in this article.

      If you can find a firmware version that is unaffected, please let me know. I’ve just updated the article with some versions other people have used – try them!

      1. Jarmo

        Hi Bas,

        One of my colleagues alerted me to this issue today. Thanks for posting! I have vulnerable R8000 with firmware version 1.0.3.4_1.1.2

        Jarmo

  17. Hector

    apparently this version of R7000’s firmware is not affected : R7000-V1.0.7.2_1.1.93.chk

    Owners of R7000 should update to this version available on Netgear’s web site or by usong the router’s internal update feature.

    1. Bas van Schaik Post author

      I find that a little surprising: as far as I’m aware, that’s Netgear’s latest firmware, and it is affected. Can someone confirm this? I won’t be able to test different firmware versions for the next week or so.

      1. Hector

        My router is in french. I ran the test again with the router in english and it is affected. Is the test different depending on the language ?

    1. Ben Hastings

      R6250 with firmware V1.0.4.2_10.1.10 doesn’t appear to be vulnerable. It’ll reply with this, unless user is already signed in:
      401 Unauthorized
      Access to this resource is denied, your client has not supplied the correct authentication.

  18. Steven S

    Has anyone verified that the router’s web app even listens to connections from the outside world? If not, the severity of this issue is much much lower.

  19. Pingback: Netgear : faille critique sur trois routeurs, il est recommandé de ne plus les utiliser – Actualité

  20. Rob

    R7000 FW: 1.0.3.60_1.1.27 configured as AP, 404 Not Found
    and
    R7500v2 FW: 1.0.3.4 configured as AP, No such file or directory

  21. Pingback: PSA: Several Netgear Routers Have an Easily Exploitable Security Vulnerability, Here's How to Test Yours | Jamaican Moments™

  22. Pingback: Netgear Firmware Bug- How To Avoid It? Use Open Source Firmware

  23. Pingback: PSA: Several Netgear Routers Have an Easily Exploitable Security Vulnerability, Here's How to Test Yours « Fribliss

  24. Mr. B

    I have the Nighthawk R6700 and it’s apparently vulnerable too. It has the latest firmware version 10.0.26.

  25. Pingback: Several Netgear Routers Have An Easily Exploitable Security Vulnerability, Here's How To Test Yours | Lifehacker Australia

  26. Gabe

    I have the Netgear Nighthawk X4 R7500v2 with Ver 1.0.3.4. I verified and the page returned “No such file or directory” so I’m safe

  27. Pingback: PSA: Several Netgear Routers Have an Easily Exploitable Security Vulnerability, Here's How to Test Yours | NEWZE

  28. Pingback: Netgear Router: Critical Unfixed Vulnerability Permits Hacker Takeover

  29. Steve Miller

    Thanks for the workaround!
    For information:
    X6 R7900 Firmware Version V1.0.1.4_10.0.12
    Running this in “Access Point Mode”

    Can execute the uname:
    Linux R7900 2.6.36.4brcmarm+ #17 SMP PREEMPT Mon Dec 14 15:10:46 CST 2015 armv7l unknown

    Fixed by workaround

  30. Rowan

    FW Version 1.0.3.80_1.1.38
    R7000 is unaffected.

    Looks like this is probably a bit old though, probably has plenty of other vulnerabilities. Wonder if i should update?

    1. Bas van Schaik Post author

      You could upgrade to the just-released beta firmware that fixes this vulnerability?

  31. Steve

    I have a Netgear R7000 with firmware V1.0.7.2_1.1.93

    I get the following message when I test my router:
    You are not connected to your Router’s WiFi network. To access routerlogin.net, your device must be connected to your Router’s WiFi network. Check your current connection and try again.

    I do have the WiFi turned OFF on my router as I use a Ubiquity Access Point to provide WiFi for our house. Does this mean I am safe?

    1. Bas van Schaik Post author

      Unlikely – it just means that your computer has a non-default configuration: it’s using an external DNS server. However, Netgear published a beta firmware this morning: see the updated article. You’re better off installing that version than to use the workaround described in this article.

  32. Tony

    I can confirm the R6700 Nighthawk is affected as well. Running the latest firmware that ends in .26

    When I enter the webpage in Step 1 I get a bunch of text that seem like lines of code.

    I followed through all the steps and I now get a cannot access.

    I contacted Netgear to let them know. Hopefully they will update their security advisory to reflect the newly affected products.

    Funny thing is, I ran the step1 webpage a day or two ago. I was getting errors. And today…. lines of code. SMH since I just bought this last week.

  33. Scott B

    Had R7000 on v1.0.3 something…and was not vulnerable…but didn’t read through all the comments 🙁 upgraded to 1.0.7.2 and and thus became vulnerable. Proceeded to step 2. English version.

  34. Pingback: Unplug Your Easily Hijacked Netgear Routers Pronto | technology market

  35. Pingback: Unplug Your Easily Hijacked Netgear Routers Pronto – Fortune | SilentMajority.News

  36. Akiva

    As far as the R7800 (X4S) is concerned, I am running the stock firmware V1.0.2.04, and seem to be unaffected ( I get the “No such file or directory” response). Hope that helps, thanks for reporting on this.

  37. Pingback: PSA: Several Netgear Routers Have an Easily Exploitable Security Vulnerability, Here's How to Test Yours

  38. Brian

    I’m running an R7800 with firmware 1.0.2.12. When I try to exploit this against my router, all I get is a page with the number 0 on it and nothing actually happens (“reboot” doesn’t actually reboot the router). Am I affected?

  39. Cole

    FYI, using Safari 10.0.1 (12602.2.14.0.7) on macOS Sierra 10.12.1, I found the test URL wouldn’t load. It didn’t mean the router was unaffected, though—it was Safari itself stopping the URL load, as I realized when I checked the Web Inspector console and saw these errors reported:

    [Error] Sandboxing ‘http://www.routerlogin.net/cgi-bin/;uname$IFS-a’ because it is using HTTP/0.9.
    [Error] Stopped document load from ‘http://www.routerlogin.net/cgi-bin/;uname$IFS-a’ because it is using HTTP/0.9 on a non-default port.

    Running the test in Firefox immediately showed that my Netgear R7000 (Firmware Version V1.0.7.2_1.1.93) was indeed vulnerable. Step 2 took care of it, though.

    Just thought this might help others with Macs.

  40. peter

    Using the test URL on my r7800 resulted in a page just displaying “0”. does that mean my router is affected?

    1. Bas van Schaik Post author

      Likely – try to proceed to step 2, and then check whether you’re still vulnerable. If the ‘0’ does not appear after applying the fix, you were indeed vulnerable. I’m sure Netgear will release a beta firmware for your device soon as well, so keep an eye out on their website (link in the article).

  41. Ingvild

    Thanks for the tip! If the vulnerability already had been exploited, would there be any way for me to tell? In such case, would this temp. fix “lock them out” again? Or would it be too late?

    1. Bas van Schaik Post author

      That’s hard to tell: the possibilities for a hacker to (ab)use this hole are virtually endless, so it’s difficult to create a single test that will show whether the vulnerability has been exploited. Installing the latest (beta) firmware will reset the software on your device, so you should be good from there onwards.

Comments are closed.