Netgear Won’t Patch Serious Flaws in Some of Their Routers
Netgear won't patch 45 router models because they are outdated or at EOL ( End of Life). These routers are vulnerable to a high-severity remote code execution flaw. This news comes 2 months after the security flaw was disclosed.
The remote code execution flaw was disclosed June 15. This flaw allows hackers to bypass authentication on vulnerable Netgear routers. The high-severity flaw affects almost 80 Netgear Wi-Fi routers and home gateway models. Netgear released firmware updates with fixes for all currently supported products but not models that haven't been on sale for over three years.
The oldest router that won't receive an update is the AC1450 series, which is 11 years old. Other router models, while newer, have reached EOL including The R6200 and R6200v2 wireless routers which are four to seven years old. The newest router that won't get the security patch is the Nighthawk R7300DST wireless router reached EOL in the first half of 2017. A list of the router that won’t be patched is available on Netgear's website.
The flaw exists in the httpd service, which listens on TCP port 80 by default. The flaw results from a lack of validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. A hacker can use this flaw to execute code as root. According to ZDI, which disclosed the flaw in June, the only strategy is to restrict interaction with the service to trusted machines. This can be done with firewall rules/whitelisting.
Although it is unfortunate for anyone who owns one of those routers, the reality is that everything, including cars, electronics, appliances, will reach an age where their manufacturer will no longer support them.Regardless, stay updated on security updates, as well as adopting best security practices, including turning off features like remote access or changing admin passwords.