Around 3 weeks ago security researcher Andrew Rollins revealed a massive flaw in a wide range of Netgear routers, which would allow an attacker to inject arbitrary commands to the router which are then executed by the system, allowing hackers to easily turn your router into part of a bot net.
At the time the Department of Homeland Security’s CERT urged Netgear router users (one of the most popular in use) to stop using the devices, saying:
“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.”
Netgear confirmed that 11 of its router models (R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, and D64000) were affected, and have now released certified patches for the R6250, R6400, R7000, and R8000 with beta patches which are not guaranteed to work available for the others.
Unfortunately Netgear is not able to push out fixes to the routers directly, meaning users need to download the firmware and install it directly, meaning for many the flaw will go unfixed.
“It’s got to get to the level that it’s simple in terms of notification and procedure to upgrade for users, otherwise we end up with the problem we have,” says Morey Haber, vice president of technology at the security firm BeyondTrust. “There are many devices that are out there that are complex and not easy to update and people don’t even know it.”
Affected users should look for the fix here, and as a holiday service if you have family or friends also using netgear routers urge them to check if they are affected and install the fix also.