Back in June it was revealed that around 80 of NETGEARs broadband wireless router(s), modems and other products suffered from a remote code execution vulnerability, which could allow “unauthenticated remote code execution with root privileges.” The company patched some of those but seems to have no plan for doing the rest.
Details of the vulnerability can be found here and here, although The Register has spotted that NETGEAR have decided not to issue firmware fixes for 45 of their devices because. Instead the associated products on their related advisory page are simply given the following fix status: “None; outside security support period” (i.e. we’ve stopped supporting that kit so enjoy being exposed to hackers).
In fairness it’s not realistic to expect such companies to continue providing support for their networking hardware indefinitely, although a few of the models (e.g. the Nighthawk R7300DST) are a fair bit younger than some of the other devices. Owners of those might thus reasonably still expect security patches for such a vulnerability.
Advertisement
Brian Gorenc, Senior Director at Trend Micro, said: “Unfortunately, there are too many examples of vendors abandoning devices that are still in wide use – sometimes even when they are still available to purchase. We hope vendors clearly communicate their support and lifecycle policies so that consumers can make educated choices.”
The Products NETGEAR Refuse to Patch
AC1450
D6300
DGN2200v1
DGN2200M
DGND3700v1
LG2200D
MBM621
MBR1200
MBR1515
MBR1516
MBR624GU
MBRN3000
MVBR1210C
R4500
R6200
R6200v2
R6300v1
R7300DST
WGR614v10
WGR614v8
WGR614v9
WGT624v4
WN2500RP
WN2500RPv2
WN3000RP
WN3000RPv2
WN3000RPv3
WN3100RP
WN3100RPv2
WN3500RP
WNCE3001
WNCE3001v2
WNDR3300v1
WNDR3300v2
WNDR3400v1
WNDR3400v2
WNDR3400v3
WNDR3700v3
WNDR4000
WNDR4500
WNDR4500v2
WNR3500v1
WNR3500Lv1
WNR3500v2
WNR834Bv2
Most likely there will be custom firmware released like DDWRT to fix the issues.
That’s great if you’re technical enough to know what DD-WRT is and how to install it. For most people their router is an appliance just like their toaster and they know nothing of firmware.
Netgear is famous for leaving their routers unpatched but as long as they make them open to custom firmware it’s “fine”.
A bit of a non story considering its not unusual for companies to stop supporting older hardware. I mean should Netgear support these routers for the next 100 years, ie where do you draw the line?
A bit like why Apple stop supporting older iphones with firmware/security updates after 4-5 years. Or worse, some Android handsets stop getting updates after only a couple of years. It costs time & money for companies to support older hardware, you can’t expect companies to release updates for products forever.
iPhone 6S is set for 7 years of updates.
I think routers should receive updates for at least 10 years. If we can’t get stuff like this right, we’re doomed as a species. So much waste generated in the name of profit when perfectly servicable kit has to be thrown away because of a small software flaw that can easily be fixed…
Maybe these companies shouldn’t be in the router business if they can’t set up their software development process so that it’s trivial to build a new release at any time and backport patches?
With containers and virtual machines you can spin up a complete build and test environment quickly, and thus roll out a patch release.
I would expect support for five years, the general consumer doesn’t know how to flash custom firmware o to their device. But their network will be wide open to threats. The article says younger routers will not be fixed which I find unfair. Seems to be a cost cutting measure on Netgears part I think.
Do other males like Asus do the same thing?
> Do other males like Asus do the same thing?
From my experience Asus not only patches vulnerabilities in their not-so-new routers but also updates packages for new features and does it frequently. The only downside is that you need to update firmware manually.
For majority of people, this issue isn’t a problem because they don’t update there routers any way (majority use isp router so they get updates from isp automatically when they can be bothered to release a update to fix a security problem)
Draytek are still updating the firmware on the 2860, and that came out in 2013
Draytek are a very solid company, I used one of their routers for years.
Swapped to a Synology router recently, since it seems they have a similar approach to keeping their device properly patched. Though it will be interesting to see how long they provide that support, though at the moment, it seems good.
As a long time Draytek user I was about to make the very same point, but other beat me to it.
However I have now moved on and the only Draytek device I am currently using is a Vigor 130 modem. If you want to take things to the next level, have a look at the free community edition of pfsense (you will need to provide you own hardware – unless you buy one of the pre-configured devices from Netgate).
https://www.pfsense.org/download/
Hardware I am using (make sure it has Intel NIC’s and AES-NI support on CPU)
https://www.mini-itx.com/~JBC313
Particularly recommend a free pfsense third party package called pfblockerNG which is like a Pi-Hole but on steroids. You can also block via ASN – handy for those firms that hard-code IP address to defeat DNS blocking – yes Microsoft I am looking at you!
Icing on the cake is extensive VPN client/server support – its basically a corporate product suitable for the keen hobbyist. Basic install should have you easily up and running and you can then (as knowledge develops) screw your network down as hard as you like.
Highly recommended
Simple don’t used netgear.
“The Products NETGEAR Refuse to Patch”, another pile of e waste to add to the mountain, Netgears green credentials have been blown out of the water, I don’t think its unreasonable to expect a router to last at least 7 years, if Netgear can write these devices off it shows a complete disregard for total cost of ownership, I think their complete lack of customer care shows they are disrespecting their existing customers, sorry Netgear, as an existing customer, I will be voting with my wallet and not putting your kit in my network.
That’s my Friday rant over.
Absolutely, no reason to buy the kit if they refuse to support it. And considering how expensive Netgears top end routers are its not exactly a good advert for the company is it!
Throw away culture in a nutshell, Netgear would rather people buy new routers.
Bonus points for anyone who can name another 20 tech companies with the exact same ethos……I’ll start you off with LG.
And I thought that Netgear was one of the top brands out there. Great to know that my router won’t be supported in a short while.
Another reason to use Google WiFi?
Consumer routers from some vendors effectively get only 1 year support as new models get released annually to replace old one’s, its a terrible state of affairs, one reason why I use pfsense on my own bare metal hardware now.